https://fedoraproject.org/w/api.php?action=feedcontributions&user=Domg472&feedformat=atomFedora Project Wiki - User contributions [en]2024-03-29T09:23:58ZUser contributionsMediaWiki 1.39.4https://fedoraproject.org/w/index.php?title=FreenodeCloaks&diff=254907FreenodeCloaks2011-09-27T09:52:31Z<p>Domg472: </p>
<hr />
<div>= Freenode Cloaks =<br />
<br />
This is the list of contributors who have requested Fedora IRC cloaks for the [http://freenode.net/ freenode] network.<br />
<br />
In order to receive a cloak, you must have completed the following steps:<br />
<br />
* You need to have registered your nick with Nick<code></code>Serv.<br />
* You need to have set an email address with Nick<code></code>Serv.<br />
* You need to have created an alternate nick and linked it to your primary nick with Nick<code></code>Serv.<br />
* You must be in the [[Infrastructure/AccountSystem| Fedora Account System]] and should have completed the CLA before you are eligible for a cloak.<br />
* The nick you list here does not need to be your primary nick, but must be linked to your primary nick.<br />
<br />
{{Admon/tip | If you need instructions for using Nick<code></code>Serv, try "<code>/msg NickServ HELP</code>" from the chatline of your IRC client after you have connected to freenode.}}<br />
<br />
If you have not done these things, freenode will not allow us to create your cloak.<br />
If you don't know how to do these things, follow the instructions here: http://freenode.net/faq.shtml#nicksetup<br />
<br />
Your cloak will be: <code>*@fedora/yourIRCnick</code> <br />
If you want something different from that (e.g. @fedora/FASUSERNAME), please specify it in the comments field.<br />
<br />
Note that freenode does not support the use of underscores "_" in cloaks. Other non-alphanumeric characters may also not be supported and will be omitted from the cloak. If you have a preference of how you want your cloak to look, please put it in the comment field.<br />
<br />
{{Admon/caution | Please do not delete example line.}}<br />
<br />
After adding your entry, please be patient until the next round of cloak creations. This is a manual process.<br />
<br />
{|<br />
|- style="color: white; background-color: #3074c2; font-weight: bold" <br />
| '''Real Name''' || '''Email''' || '''IRC Nick''' || '''Account System Name''' || '''Comment'''<br />
|-<br />
| JohnDoe || nobody@fedoraproject.org || nick || example || comment<br />
|-<br />
| Paul-Marc Bougharios || paulmarc.bougharios@gmail.com || paulmarc || paulmarc || No comments :)<br />
|-<br />
| bodhizazen || bodhi.zazen@gmail.com || bodhizazen || bodhizazen || my alternate nick is bodhi_zazen and I currently have an Ubuntu cloak which I am asking to be changed to fedora.<br />
|-<br />
|Kaesar ALNIJRES || akajava0@gmail.com || kaesar_ || kaesar || <br />
|-<br />
|Sirko Kemter || gnokii@fedoraproject.org || gnokii || gnokii ||<br />
|-<br />
| Mahrud Sayrafi || dinovirus[at]gmail[dot]com || mahrud || mahrud ||<br />
|-<br />
| Ariel Constenla-Haile || ariel.constenla.haile[at]gmail[dot]com || arielch || arielch || I currently have an unaffiliated/arielch cloak which I ask to be changed now to a fedora one.<br />
|-<br />
| Theodore Lee || theo148@gmail.com || antiaircraft || antiaircraft ||<br />
|-<br />
| Richard Marko || rissko@gmail.com || sorki || Rmarko || <br />
|-<br />
| Jeffrey Zic || gixugif@gmail.com || Gixugif || Gixugif || Nada<br />
|-<br />
| Francis Zapanta || chainsauce@gmail.com || compromised || compromised ||<br />
|-<br />
| Luis Bazan || bazanluis20@gmail.com || LoKoMurdoK || lbazan || tks<br />
|-<br />
| Ruggero Marchei || qxscio@hotmail.com || ProT-0-TypE || prototype ||<br />
|-<br />
| Dominick Grift || dominick.grift@gmail.com || grift || domg472 ||<br />
|}<br />
<br />
And please staff for accounts with the character "|" you should look at the source because the formatted page does not show "|" Thank you!<br />
<br />
== Red Hat Cloaks ==<br />
<br />
If you're on the Red Hat payroll, you can get a *@redhat/yournick cloak. Email spot@redhat.com (from your redhat.com email account) to get one. Remember:<br />
* You need to have registered your nick with Nick<code></code>Serv.<br />
* You need to have set an email address with Nick<code></code>Serv.<br />
* You need to have created an alternate nick and linked it to your primary nick with NickServ.</div>Domg472https://fedoraproject.org/w/index.php?title=Features/SELinuxFileNameTransition&diff=241102Features/SELinuxFileNameTransition2011-06-10T12:28:00Z<p>Domg472: /* Detailed Description */</p>
<hr />
<div>= Feature Name <!-- The name of your feature --> =<br />
SELinux File Name Transition<br />
== Summary ==<br />
<!-- A sentence or two summarizing what this feature is and what it will do. This information is used for the overall feature summary page for each release. --><br />
This change allows us to write a rule in policy that states if a process labelled A_t creates a specified object class in a directory labelled B_t and the specified object class is named "objectname", it will get the label C_t.<br />
<br />
An example of this would be the administrator going into the /root directory and creating the .ssh directory. In previous versions of Fedora, the directory would get created admin_home_t, even though the policy requires it to be labelled ssh_home_t.<br />
<br />
Now we can write a rule in policy that states, if the unconfined_t process creates the ".ssh" directory in a directory labelled admin_home_t, then it will get created with the label ssh_home_t.<br />
<br />
== Owner ==<br />
<!--This should link to your home wiki page so we know who you are--><br />
* Name: [[User:dwalsh| Daniel J Walsh]]<br />
<br />
<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or technical issues need to be resolved--><br />
* Email: dwalsh@redhat.com<br />
<br />
== Current status ==<br />
* Targeted release: [Fedora 16] <br />
* Last updated: Friday June 10 2012<br />
* Percentage of completion: 100%<br />
<br />
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. --><br />
<br />
== Detailed Description ==<br />
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --><br />
SELinux has always had a problem of how to get the default labels on an object when the object is created. Up until now, their have been three ways of getting the initial label on an object.<br />
<br />
The default way an object gets labelled is to inherit the label of the parent directory. If you create a file named foo in a directory labelled etc_t, then foo will be labelled etc_t.<br />
<br />
This works well in most cases, but in some cases you want to have multiple files within a directory with different labels.<br />
<br />
Policy writers have the ability to overwrite this by writing a rule in policy that states, if a process with type a_t creates a object of class "file" in a directory labelled b_t, the object will get created c_t. One problem with this is that you might have a single program that is going to create multiple objects in the same directory where each object requires a separate directory.<br />
<br />
Some applications have SELinux awareness in them that allow them to ask the system what the label of a certain path should be and then they request from the kernel that the object be created with this label. Examples of applications with SELinux awareness are obviously rpm, restorecon, and udev. Another less known example of an application with SELinux is the password command. passwd recreates the /etc/passwd and /etc/shadow file. /etc/passwd should be labelled etc_t, and shadow should be labelled shadow_t. Because of this and some other concerns, the passwd command has SELinux awareness built into it, and it asks the kernel to create the /etc/passwd and /etc/shadow file with the correct default label.<br />
<br />
But we can not instrument every application that creates a file/directory on the system with SELinux awareness. So a user creating the public_html directory in his home directory using mkdir will create the directory with the label user_home_t instead of the correct httpd_user_content_t. An administrator creating the /etc/resolv.conf with sed will create the file labelled etc_t rather then net_conf_t. Or even the kernel creating /dev/rfcomm0 with the label device_t rather then tty_device_t. In these cases we have either required the user/administrator to run the restorecon command on the newly created object "restorecon ~/public_html", or we have added racy tools like restorecond or udev which watch for the creation of objects using inotify, and then relabel them with the correct label. All three of these end up creating an AVC for a confined domain, if not fixed before a confined domain tries to use the object.<br />
<br />
With File Name Transitions Features, policy writers can write rules that take into account the file name, not the file path. This is the basename of the file path. Since the kernel knows at the time of object creation the label of the containing directory, the label of the process creating the object and the objects Name. we can now write a policy rule that states,<br />
if an unconfined_t process creates a file named resolv.conf in a directory labelled etc_t, the file should get labelled resolv.conf.<br />
<br />
We also added various rules, including:<br />
<br />
* kernel_t creating a chr_file named rfconmm0 in a directory labelled device_t should create it labelled tty_device_t.<br />
** For Example /dev/rfcomm<br />
* sysadm_t creating a directory named .ssh in a directory labelled admin_home_t should create it labelled ssh_home_t. <br />
** Example: /root/.ssh<br />
* staff_t creating a directory named public_html in a directory labelled user_home_dir_t should create it labelled http_user_content_t. <br />
** For Example /home/dwalsh/public_html<br />
<br />
Note: this feature is just about initial file creation. Objects with the wrong label on them will not be magically be fixed with this feature. This feature does not use the path to determine the label, since the path can be variable in the kernel. (Hard/Soft Links, Bind Mounts, Namespacing can all effect the path).<br />
<br />
== Benefit to Fedora ==<br />
<!-- What is the benefit to the platform? If this is a major capability update, what has changed? If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?--><br />
The major benefit to Fedora is the decrease of SELinux labelling errors, these policy changes will fix a large number of issues SELinux users have with SELinux. Over the years the largest amount of SELinux errors come down to incorrectly labelled files/directories, if we can work to make sure most of them are labelled correctly without the user or admin needing to understand how SELinux works, then the less likely for SELinux to create problems. This feature also has the potential to make the system more secure, because a badly labelled file might give other confined objects the chance to read/write the content. For example most confined applications should not be reading the contents of the .ssh directory, but if it gets the label of the users home directory by default (As it does in current Fedoras), a confined application may be allowed to read the private key file.<br />
<br />
== Scope ==<br />
<!-- What work do the developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--><br />
This change only effects Policy writers and the kernel. No other applications should be effected by this change.<br />
<br />
== How To Test ==<br />
<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this feature is expected to pass when it is done. If it needs to be tested with different hardware or software configurations, indicate them. The more specific you can be, the better the community testing can be. <br />
<br />
Remember that you are writing this how to for interested testers to use to check out your feature - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your feature.<br />
<br />
A good "how to test" should answer these four questions:<br />
<br />
0. What special hardware / data / etc. is needed (if any)?<br />
1. How do I prepare my system to test this feature? What packages<br />
need to be installed, config files edited, etc.?<br />
2. What specific actions do I perform to check that the feature is<br />
working like it's supposed to?<br />
3. What are the expected results of those actions?<br />
--><br />
<br />
This initial policy work has been done and effects the following directories, /root, $HOME, /dev, /etc.<br />
<br />
Things I would like to see checked. First make sure restorecond is not running. killall -9 restorecond.<br />
<br />
yum remove policycoreutils-restorecond<br />
<br />
# Public_html test.<br />
# useradd test<br />
# mkdir /home/test/public_html<br />
Verify /home/test/public_html is labelled correctly<br />
# restorecon -v /home/test/public_html # No output expected<br />
<br />
# Verify all files created when you graphically login are created with the correct label.<br />
Now login graphically to test account.<br />
# restorecon -R -v ~/test #Hopefully no output...<br />
<br />
# Creating /root/.ssh test<br />
# mv /root/.ssh /root/.ssh.old<br />
# mkdir /root/.ssh<br />
# restorecon -v /root/.ssh # No output expected<br />
# rmdir /root/.ssh<br />
# mv /root/.ssh.old /root/.ssh<br />
<br />
# Creating /etc/resolv.conf<br />
# mv /etc/resolv.conf /tmp<br />
# cp /tmp/resolv.conf /etc<br />
# restorecon -v /tmp/resolv.conf # No output expected<br />
<br />
# Bluetooth having the kernel create the device with the correct label<br />
Plugin in bluetooth device, no avc about bluetooth_t trying to interact with a device_t chr_file.<br />
<br />
# Verify the kernel will create files in the users home directory on the server with the correct label when shared over NFS.<br />
Setup nfs to share a users homedir, mount the homedir on a remote client and create the .public_html directory.<br />
Make sure on the server the directory gets created with the correct label.<br />
<br />
If you find other objects that could use this feature, open a bugzilla and we can discuss.<br />
<br />
== User Experience ==<br />
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --><br />
It really should not be noticed by the user, unless they are looking for it, although hopefully they will notice that SELinux is working better.<br />
<br />
== Documentation ==<br />
<!-- Is there upstream documentation on this feature, or notes you have written yourself? Link to that material here so other interested developers can get involved. --><br />
*<br />
<br />
== Release Notes ==<br />
<!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ --><br />
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns. If there are any such changes involved in this feature, indicate them here. You can also link to upstream documentation if it satisfies this need. This information forms the basis of the release notes edited by the documentation team and shipped with the release. --><br />
*<br />
<br />
== Comments and Discussion ==<br />
* See [[Talk:Features/YourFeatureName]] <!-- This adds a link to the "discussion" tab associated with your page. This provides the ability to have ongoing comments or conversation without bogging down the main feature page --><br />
<br />
<br />
[[Category:FeaturePageIncomplete]]<br />
<!-- When your feature page is completed and ready for review --><br />
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler --><br />
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete--><br />
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process --></div>Domg472https://fedoraproject.org/w/index.php?title=Features/SELinuxFileNameTransition&diff=241101Features/SELinuxFileNameTransition2011-06-10T12:25:17Z<p>Domg472: /* Benefit to Fedora */</p>
<hr />
<div>= Feature Name <!-- The name of your feature --> =<br />
SELinux File Name Transition<br />
== Summary ==<br />
<!-- A sentence or two summarizing what this feature is and what it will do. This information is used for the overall feature summary page for each release. --><br />
This change allows us to write a rule in policy that states if a process labelled A_t creates a specified object class in a directory labelled B_t and the specified object class is named "objectname", it will get the label C_t.<br />
<br />
An example of this would be the administrator going into the /root directory and creating the .ssh directory. In previous versions of Fedora, the directory would get created admin_home_t, even though the policy requires it to be labelled ssh_home_t.<br />
<br />
Now we can write a rule in policy that states, if the unconfined_t process creates the ".ssh" directory in a directory labelled admin_home_t, then it will get created with the label ssh_home_t.<br />
<br />
== Owner ==<br />
<!--This should link to your home wiki page so we know who you are--><br />
* Name: [[User:dwalsh| Daniel J Walsh]]<br />
<br />
<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or technical issues need to be resolved--><br />
* Email: dwalsh@redhat.com<br />
<br />
== Current status ==<br />
* Targeted release: [Fedora 16] <br />
* Last updated: Friday June 10 2012<br />
* Percentage of completion: 100%<br />
<br />
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. --><br />
<br />
== Detailed Description ==<br />
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --><br />
SELinux has always had a problem of how to get the default labels on an object when the object is created. Up until now, their have been three ways of getting the initial label on an object.<br />
<br />
The default way an object gets labelled is to inherit the label of the parent directory. If you create a file named foo in a directory labelled etc_t, then foo will be labelled etc_t.<br />
<br />
This works well in most cases, but in some cases you want to have multiple files within a directory with different labels.<br />
<br />
Policy writers have the ability to overwrite this by writing a rule in policy that states, if a process with type a_t creates a object of class "file" in a directory labelled b_t, the object will get created c_t. One problem with this is that you might have a single program that is going to create multiple objects in the same directory where each object requires a separate directory.<br />
<br />
Some applications have SELinux awareness in them that allow them to ask the system what the label of a certain path should be and then they request from the kernel that the object be created with this label. Examples of applications with SELinux awareness are obviously rpm, restorecon, and udev. Another less known example of an application with SELinux is the password command. passwd recreates the /etc/passwd and /etc/shadow file. /etc/passwd should be labelled etc_t, and shadow should be labelled shadow_t. Because of this and some other concerns, the passwd command has SELinux awareness built into it, and it asks the kernel to create the /etc/passwd and /etc/shadow file with the correct default label.<br />
<br />
But we can not instrument every application that creates a file/directory on the system with SELinux awareness. So a user creating the public_html directory in his home directory using mkdir will create the directory with the label user_home_t instead of the correct httpd_user_content_t. An administrator creating the /etc/resolv.conf with sed will create the file labelled etc_t rather then net_conf_t. Or even the kernel creating /dev/rfcomm0 with the label device_t rather then tty_device_t. In these cases we have either required the user/administrator to run the restorecon command on the newly created object "restorecon ~/public_html", or we have added racy tools like restorecond or udev which watch for the creation of objects using inotify, and then relabel them with the correct label. All three of these end up creating an AVC for a confined domain, if not fixed before a confined domain tries to use the object.<br />
<br />
With File Name Transitions Features, policy writers can write rules that take into account the file name, not the file path. This is the basename of the file path. Since the kernel knows at the time of object creation the label of the containing directory, the label of the process creating the object and the objects Name. we can now write a policy rule that states,<br />
if an unconfined_t process creates a file named resolv.conf in a directory labelled etc_t, the file should get labeled resolv.conf.<br />
<br />
We have also added rules that state:<br />
<br />
* kernel_t creating a chr_file named rfconmm0 in a directory labelled device_t should create it labelled tty_device_t.<br />
** For Example /dev/rfcomm<br />
* sysadm_t creating a directory named .ssh in a directory labelled admin_home_t should create it labelled ssh_home_t. <br />
** Example: /root/.ssh<br />
* staff_t creating a directory named public_html in a directory labelled user_home_dir_t should create it labelled http_user_content_t. <br />
** For Example /home/dwalsh/public_html<br />
<br />
Note: this feature is just about initial file creation. Objects with the wrong label on them will not be magically be fixed with this feature. This feature does not use the path to determine the label, since the path can be variable in the kernel. (Hard/Soft Links, Bind Mounts, Namespacing can all effect the path).<br />
<br />
== Benefit to Fedora ==<br />
<!-- What is the benefit to the platform? If this is a major capability update, what has changed? If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?--><br />
The major benefit to Fedora is the decrease of SELinux labelling errors, these policy changes will fix a large number of issues SELinux users have with SELinux. Over the years the largest amount of SELinux errors come down to incorrectly labelled files/directories, if we can work to make sure most of them are labelled correctly without the user or admin needing to understand how SELinux works, then the less likely for SELinux to create problems. This feature also has the potential to make the system more secure, because a badly labelled file might give other confined objects the chance to read/write the content. For example most confined applications should not be reading the contents of the .ssh directory, but if it gets the label of the users home directory by default (As it does in current Fedoras), a confined application may be allowed to read the private key file.<br />
<br />
== Scope ==<br />
<!-- What work do the developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--><br />
This change only effects Policy writers and the kernel. No other applications should be effected by this change.<br />
<br />
== How To Test ==<br />
<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this feature is expected to pass when it is done. If it needs to be tested with different hardware or software configurations, indicate them. The more specific you can be, the better the community testing can be. <br />
<br />
Remember that you are writing this how to for interested testers to use to check out your feature - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your feature.<br />
<br />
A good "how to test" should answer these four questions:<br />
<br />
0. What special hardware / data / etc. is needed (if any)?<br />
1. How do I prepare my system to test this feature? What packages<br />
need to be installed, config files edited, etc.?<br />
2. What specific actions do I perform to check that the feature is<br />
working like it's supposed to?<br />
3. What are the expected results of those actions?<br />
--><br />
<br />
This initial policy work has been done and effects the following directories, /root, $HOME, /dev, /etc.<br />
<br />
Things I would like to see checked. First make sure restorecond is not running. killall -9 restorecond.<br />
<br />
yum remove policycoreutils-restorecond<br />
<br />
# Public_html test.<br />
# useradd test<br />
# mkdir /home/test/public_html<br />
Verify /home/test/public_html is labelled correctly<br />
# restorecon -v /home/test/public_html # No output expected<br />
<br />
# Verify all files created when you graphically login are created with the correct label.<br />
Now login graphically to test account.<br />
# restorecon -R -v ~/test #Hopefully no output...<br />
<br />
# Creating /root/.ssh test<br />
# mv /root/.ssh /root/.ssh.old<br />
# mkdir /root/.ssh<br />
# restorecon -v /root/.ssh # No output expected<br />
# rmdir /root/.ssh<br />
# mv /root/.ssh.old /root/.ssh<br />
<br />
# Creating /etc/resolv.conf<br />
# mv /etc/resolv.conf /tmp<br />
# cp /tmp/resolv.conf /etc<br />
# restorecon -v /tmp/resolv.conf # No output expected<br />
<br />
# Bluetooth having the kernel create the device with the correct label<br />
Plugin in bluetooth device, no avc about bluetooth_t trying to interact with a device_t chr_file.<br />
<br />
# Verify the kernel will create files in the users home directory on the server with the correct label when shared over NFS.<br />
Setup nfs to share a users homedir, mount the homedir on a remote client and create the .public_html directory.<br />
Make sure on the server the directory gets created with the correct label.<br />
<br />
If you find other objects that could use this feature, open a bugzilla and we can discuss.<br />
<br />
== User Experience ==<br />
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --><br />
It really should not be noticed by the user, unless they are looking for it, although hopefully they will notice that SELinux is working better.<br />
<br />
== Documentation ==<br />
<!-- Is there upstream documentation on this feature, or notes you have written yourself? Link to that material here so other interested developers can get involved. --><br />
*<br />
<br />
== Release Notes ==<br />
<!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ --><br />
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns. If there are any such changes involved in this feature, indicate them here. You can also link to upstream documentation if it satisfies this need. This information forms the basis of the release notes edited by the documentation team and shipped with the release. --><br />
*<br />
<br />
== Comments and Discussion ==<br />
* See [[Talk:Features/YourFeatureName]] <!-- This adds a link to the "discussion" tab associated with your page. This provides the ability to have ongoing comments or conversation without bogging down the main feature page --><br />
<br />
<br />
[[Category:FeaturePageIncomplete]]<br />
<!-- When your feature page is completed and ready for review --><br />
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler --><br />
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete--><br />
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process --></div>Domg472https://fedoraproject.org/w/index.php?title=Features/SELinuxFileNameTransition&diff=241100Features/SELinuxFileNameTransition2011-06-10T12:24:14Z<p>Domg472: /* Summary */</p>
<hr />
<div>= Feature Name <!-- The name of your feature --> =<br />
SELinux File Name Transition<br />
== Summary ==<br />
<!-- A sentence or two summarizing what this feature is and what it will do. This information is used for the overall feature summary page for each release. --><br />
This change allows us to write a rule in policy that states if a process labelled A_t creates a specified object class in a directory labelled B_t and the specified object class is named "objectname", it will get the label C_t.<br />
<br />
An example of this would be the administrator going into the /root directory and creating the .ssh directory. In previous versions of Fedora, the directory would get created admin_home_t, even though the policy requires it to be labelled ssh_home_t.<br />
<br />
Now we can write a rule in policy that states, if the unconfined_t process creates the ".ssh" directory in a directory labelled admin_home_t, then it will get created with the label ssh_home_t.<br />
<br />
== Owner ==<br />
<!--This should link to your home wiki page so we know who you are--><br />
* Name: [[User:dwalsh| Daniel J Walsh]]<br />
<br />
<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or technical issues need to be resolved--><br />
* Email: dwalsh@redhat.com<br />
<br />
== Current status ==<br />
* Targeted release: [Fedora 16] <br />
* Last updated: Friday June 10 2012<br />
* Percentage of completion: 100%<br />
<br />
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. --><br />
<br />
== Detailed Description ==<br />
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --><br />
SELinux has always had a problem of how to get the default labels on an object when the object is created. Up until now, their have been three ways of getting the initial label on an object.<br />
<br />
The default way an object gets labelled is to inherit the label of the parent directory. If you create a file named foo in a directory labelled etc_t, then foo will be labelled etc_t.<br />
<br />
This works well in most cases, but in some cases you want to have multiple files within a directory with different labels.<br />
<br />
Policy writers have the ability to overwrite this by writing a rule in policy that states, if a process with type a_t creates a object of class "file" in a directory labelled b_t, the object will get created c_t. One problem with this is that you might have a single program that is going to create multiple objects in the same directory where each object requires a separate directory.<br />
<br />
Some applications have SELinux awareness in them that allow them to ask the system what the label of a certain path should be and then they request from the kernel that the object be created with this label. Examples of applications with SELinux awareness are obviously rpm, restorecon, and udev. Another less known example of an application with SELinux is the password command. passwd recreates the /etc/passwd and /etc/shadow file. /etc/passwd should be labelled etc_t, and shadow should be labelled shadow_t. Because of this and some other concerns, the passwd command has SELinux awareness built into it, and it asks the kernel to create the /etc/passwd and /etc/shadow file with the correct default label.<br />
<br />
But we can not instrument every application that creates a file/directory on the system with SELinux awareness. So a user creating the public_html directory in his home directory using mkdir will create the directory with the label user_home_t instead of the correct httpd_user_content_t. An administrator creating the /etc/resolv.conf with sed will create the file labelled etc_t rather then net_conf_t. Or even the kernel creating /dev/rfcomm0 with the label device_t rather then tty_device_t. In these cases we have either required the user/administrator to run the restorecon command on the newly created object "restorecon ~/public_html", or we have added racy tools like restorecond or udev which watch for the creation of objects using inotify, and then relabel them with the correct label. All three of these end up creating an AVC for a confined domain, if not fixed before a confined domain tries to use the object.<br />
<br />
With File Name Transitions Features, policy writers can write rules that take into account the file name, not the file path. This is the basename of the file path. Since the kernel knows at the time of object creation the label of the containing directory, the label of the process creating the object and the objects Name. we can now write a policy rule that states,<br />
if an unconfined_t process creates a file named resolv.conf in a directory labelled etc_t, the file should get labeled resolv.conf.<br />
<br />
We have also added rules that state:<br />
<br />
* kernel_t creating a chr_file named rfconmm0 in a directory labelled device_t should create it labelled tty_device_t.<br />
** For Example /dev/rfcomm<br />
* sysadm_t creating a directory named .ssh in a directory labelled admin_home_t should create it labelled ssh_home_t. <br />
** Example: /root/.ssh<br />
* staff_t creating a directory named public_html in a directory labelled user_home_dir_t should create it labelled http_user_content_t. <br />
** For Example /home/dwalsh/public_html<br />
<br />
Note: this feature is just about initial file creation. Objects with the wrong label on them will not be magically be fixed with this feature. This feature does not use the path to determine the label, since the path can be variable in the kernel. (Hard/Soft Links, Bind Mounts, Namespacing can all effect the path).<br />
<br />
== Benefit to Fedora ==<br />
<!-- What is the benefit to the platform? If this is a major capability update, what has changed? If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?--><br />
The major benefit to Fedora is the decrease of SELinux labelling errors, these policy changes will fix a large number of issues SELinux users have with SELinux. Over the years the largest amount of SELinux errors come down to incorrectly labeled files/directories, if we can work to make sure most of them are labelled correctly without the user or admin needing to understand how SELinux works, then the less likely for SELinux to create problems. This feature also has the potential to make the system more secure, because a badly labelled file might give other confined objects the chance to read/write the content. For example most confined applications should not be reading the contents of the .ssh directory, but if it gets the label of the users home directory by default (As it does in current Fedoras), a confined application may be allowed to read the private key file.<br />
<br />
== Scope ==<br />
<!-- What work do the developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--><br />
This change only effects Policy writers and the kernel. No other applications should be effected by this change.<br />
<br />
== How To Test ==<br />
<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this feature is expected to pass when it is done. If it needs to be tested with different hardware or software configurations, indicate them. The more specific you can be, the better the community testing can be. <br />
<br />
Remember that you are writing this how to for interested testers to use to check out your feature - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your feature.<br />
<br />
A good "how to test" should answer these four questions:<br />
<br />
0. What special hardware / data / etc. is needed (if any)?<br />
1. How do I prepare my system to test this feature? What packages<br />
need to be installed, config files edited, etc.?<br />
2. What specific actions do I perform to check that the feature is<br />
working like it's supposed to?<br />
3. What are the expected results of those actions?<br />
--><br />
<br />
This initial policy work has been done and effects the following directories, /root, $HOME, /dev, /etc.<br />
<br />
Things I would like to see checked. First make sure restorecond is not running. killall -9 restorecond.<br />
<br />
yum remove policycoreutils-restorecond<br />
<br />
# Public_html test.<br />
# useradd test<br />
# mkdir /home/test/public_html<br />
Verify /home/test/public_html is labelled correctly<br />
# restorecon -v /home/test/public_html # No output expected<br />
<br />
# Verify all files created when you graphically login are created with the correct label.<br />
Now login graphically to test account.<br />
# restorecon -R -v ~/test #Hopefully no output...<br />
<br />
# Creating /root/.ssh test<br />
# mv /root/.ssh /root/.ssh.old<br />
# mkdir /root/.ssh<br />
# restorecon -v /root/.ssh # No output expected<br />
# rmdir /root/.ssh<br />
# mv /root/.ssh.old /root/.ssh<br />
<br />
# Creating /etc/resolv.conf<br />
# mv /etc/resolv.conf /tmp<br />
# cp /tmp/resolv.conf /etc<br />
# restorecon -v /tmp/resolv.conf # No output expected<br />
<br />
# Bluetooth having the kernel create the device with the correct label<br />
Plugin in bluetooth device, no avc about bluetooth_t trying to interact with a device_t chr_file.<br />
<br />
# Verify the kernel will create files in the users home directory on the server with the correct label when shared over NFS.<br />
Setup nfs to share a users homedir, mount the homedir on a remote client and create the .public_html directory.<br />
Make sure on the server the directory gets created with the correct label.<br />
<br />
If you find other objects that could use this feature, open a bugzilla and we can discuss.<br />
<br />
== User Experience ==<br />
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --><br />
It really should not be noticed by the user, unless they are looking for it, although hopefully they will notice that SELinux is working better.<br />
<br />
== Documentation ==<br />
<!-- Is there upstream documentation on this feature, or notes you have written yourself? Link to that material here so other interested developers can get involved. --><br />
*<br />
<br />
== Release Notes ==<br />
<!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ --><br />
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns. If there are any such changes involved in this feature, indicate them here. You can also link to upstream documentation if it satisfies this need. This information forms the basis of the release notes edited by the documentation team and shipped with the release. --><br />
*<br />
<br />
== Comments and Discussion ==<br />
* See [[Talk:Features/YourFeatureName]] <!-- This adds a link to the "discussion" tab associated with your page. This provides the ability to have ongoing comments or conversation without bogging down the main feature page --><br />
<br />
<br />
[[Category:FeaturePageIncomplete]]<br />
<!-- When your feature page is completed and ready for review --><br />
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler --><br />
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete--><br />
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process --></div>Domg472https://fedoraproject.org/w/index.php?title=Features/SELinuxFileNameTransition&diff=241099Features/SELinuxFileNameTransition2011-06-10T12:21:19Z<p>Domg472: /* Detailed Description */</p>
<hr />
<div>= Feature Name <!-- The name of your feature --> =<br />
SELinux File Name Transition<br />
== Summary ==<br />
<!-- A sentence or two summarizing what this feature is and what it will do. This information is used for the overall feature summary page for each release. --><br />
This change allows us to write a rule in policy that states if a process labeled A_t creates a file in a directory labeled B_t and the file is named "filename", it will get the label C_t.<br />
<br />
An example of this would be the administrator going into the /root directory and creating the .ssh directory. In previous versions of Fedora, the directory would get created admin_home_t, even though the policy requires it to be labelled ssh_home_t.<br />
<br />
Now we can write a rule in policy that states, if the unconfined_t process creates the ".ssh" directory in a directory labelled admin_home_t, then it will get created with the label ssh_home_t.<br />
<br />
== Owner ==<br />
<!--This should link to your home wiki page so we know who you are--><br />
* Name: [[User:dwalsh| Daniel J Walsh]]<br />
<br />
<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or technical issues need to be resolved--><br />
* Email: dwalsh@redhat.com<br />
<br />
== Current status ==<br />
* Targeted release: [Fedora 16] <br />
* Last updated: Friday June 10 2012<br />
* Percentage of completion: 100%<br />
<br />
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. --><br />
<br />
== Detailed Description ==<br />
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --><br />
SELinux has always had a problem of how to get the default labels on an object when the object is created. Up until now, their have been three ways of getting the initial label on an object.<br />
<br />
The default way an object gets labelled is to inherit the label of the parent directory. If you create a file named foo in a directory labelled etc_t, then foo will be labelled etc_t.<br />
<br />
This works well in most cases, but in some cases you want to have multiple files within a directory with different labels.<br />
<br />
Policy writers have the ability to overwrite this by writing a rule in policy that states, if a process with type a_t creates a object of class "file" in a directory labelled b_t, the object will get created c_t. One problem with this is that you might have a single program that is going to create multiple objects in the same directory where each object requires a separate directory.<br />
<br />
Some applications have SELinux awareness in them that allow them to ask the system what the label of a certain path should be and then they request from the kernel that the object be created with this label. Examples of applications with SELinux awareness are obviously rpm, restorecon, and udev. Another less known example of an application with SELinux is the password command. passwd recreates the /etc/passwd and /etc/shadow file. /etc/passwd should be labelled etc_t, and shadow should be labelled shadow_t. Because of this and some other concerns, the passwd command has SELinux awareness built into it, and it asks the kernel to create the /etc/passwd and /etc/shadow file with the correct default label.<br />
<br />
But we can not instrument every application that creates a file/directory on the system with SELinux awareness. So a user creating the public_html directory in his home directory using mkdir will create the directory with the label user_home_t instead of the correct httpd_user_content_t. An administrator creating the /etc/resolv.conf with sed will create the file labelled etc_t rather then net_conf_t. Or even the kernel creating /dev/rfcomm0 with the label device_t rather then tty_device_t. In these cases we have either required the user/administrator to run the restorecon command on the newly created object "restorecon ~/public_html", or we have added racy tools like restorecond or udev which watch for the creation of objects using inotify, and then relabel them with the correct label. All three of these end up creating an AVC for a confined domain, if not fixed before a confined domain tries to use the object.<br />
<br />
With File Name Transitions Features, policy writers can write rules that take into account the file name, not the file path. This is the basename of the file path. Since the kernel knows at the time of object creation the label of the containing directory, the label of the process creating the object and the objects Name. we can now write a policy rule that states,<br />
if an unconfined_t process creates a file named resolv.conf in a directory labelled etc_t, the file should get labeled resolv.conf.<br />
<br />
We have also added rules that state:<br />
<br />
* kernel_t creating a chr_file named rfconmm0 in a directory labelled device_t should create it labelled tty_device_t.<br />
** For Example /dev/rfcomm<br />
* sysadm_t creating a directory named .ssh in a directory labelled admin_home_t should create it labelled ssh_home_t. <br />
** Example: /root/.ssh<br />
* staff_t creating a directory named public_html in a directory labelled user_home_dir_t should create it labelled http_user_content_t. <br />
** For Example /home/dwalsh/public_html<br />
<br />
Note: this feature is just about initial file creation. Objects with the wrong label on them will not be magically be fixed with this feature. This feature does not use the path to determine the label, since the path can be variable in the kernel. (Hard/Soft Links, Bind Mounts, Namespacing can all effect the path).<br />
<br />
== Benefit to Fedora ==<br />
<!-- What is the benefit to the platform? If this is a major capability update, what has changed? If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?--><br />
The major benefit to Fedora is the decrease of SELinux labelling errors, these policy changes will fix a large number of issues SELinux users have with SELinux. Over the years the largest amount of SELinux errors come down to incorrectly labeled files/directories, if we can work to make sure most of them are labelled correctly without the user or admin needing to understand how SELinux works, then the less likely for SELinux to create problems. This feature also has the potential to make the system more secure, because a badly labelled file might give other confined objects the chance to read/write the content. For example most confined applications should not be reading the contents of the .ssh directory, but if it gets the label of the users home directory by default (As it does in current Fedoras), a confined application may be allowed to read the private key file.<br />
<br />
== Scope ==<br />
<!-- What work do the developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--><br />
This change only effects Policy writers and the kernel. No other applications should be effected by this change.<br />
<br />
== How To Test ==<br />
<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this feature is expected to pass when it is done. If it needs to be tested with different hardware or software configurations, indicate them. The more specific you can be, the better the community testing can be. <br />
<br />
Remember that you are writing this how to for interested testers to use to check out your feature - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your feature.<br />
<br />
A good "how to test" should answer these four questions:<br />
<br />
0. What special hardware / data / etc. is needed (if any)?<br />
1. How do I prepare my system to test this feature? What packages<br />
need to be installed, config files edited, etc.?<br />
2. What specific actions do I perform to check that the feature is<br />
working like it's supposed to?<br />
3. What are the expected results of those actions?<br />
--><br />
<br />
This initial policy work has been done and effects the following directories, /root, $HOME, /dev, /etc.<br />
<br />
Things I would like to see checked. First make sure restorecond is not running. killall -9 restorecond.<br />
<br />
yum remove policycoreutils-restorecond<br />
<br />
# Public_html test.<br />
# useradd test<br />
# mkdir /home/test/public_html<br />
Verify /home/test/public_html is labelled correctly<br />
# restorecon -v /home/test/public_html # No output expected<br />
<br />
# Verify all files created when you graphically login are created with the correct label.<br />
Now login graphically to test account.<br />
# restorecon -R -v ~/test #Hopefully no output...<br />
<br />
# Creating /root/.ssh test<br />
# mv /root/.ssh /root/.ssh.old<br />
# mkdir /root/.ssh<br />
# restorecon -v /root/.ssh # No output expected<br />
# rmdir /root/.ssh<br />
# mv /root/.ssh.old /root/.ssh<br />
<br />
# Creating /etc/resolv.conf<br />
# mv /etc/resolv.conf /tmp<br />
# cp /tmp/resolv.conf /etc<br />
# restorecon -v /tmp/resolv.conf # No output expected<br />
<br />
# Bluetooth having the kernel create the device with the correct label<br />
Plugin in bluetooth device, no avc about bluetooth_t trying to interact with a device_t chr_file.<br />
<br />
# Verify the kernel will create files in the users home directory on the server with the correct label when shared over NFS.<br />
Setup nfs to share a users homedir, mount the homedir on a remote client and create the .public_html directory.<br />
Make sure on the server the directory gets created with the correct label.<br />
<br />
If you find other objects that could use this feature, open a bugzilla and we can discuss.<br />
<br />
== User Experience ==<br />
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --><br />
It really should not be noticed by the user, unless they are looking for it, although hopefully they will notice that SELinux is working better.<br />
<br />
== Documentation ==<br />
<!-- Is there upstream documentation on this feature, or notes you have written yourself? Link to that material here so other interested developers can get involved. --><br />
*<br />
<br />
== Release Notes ==<br />
<!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ --><br />
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns. If there are any such changes involved in this feature, indicate them here. You can also link to upstream documentation if it satisfies this need. This information forms the basis of the release notes edited by the documentation team and shipped with the release. --><br />
*<br />
<br />
== Comments and Discussion ==<br />
* See [[Talk:Features/YourFeatureName]] <!-- This adds a link to the "discussion" tab associated with your page. This provides the ability to have ongoing comments or conversation without bogging down the main feature page --><br />
<br />
<br />
[[Category:FeaturePageIncomplete]]<br />
<!-- When your feature page is completed and ready for review --><br />
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler --><br />
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete--><br />
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process --></div>Domg472https://fedoraproject.org/w/index.php?title=Features/SELinuxFileNameTransition&diff=241098Features/SELinuxFileNameTransition2011-06-10T12:19:13Z<p>Domg472: /* How To Test */</p>
<hr />
<div>= Feature Name <!-- The name of your feature --> =<br />
SELinux File Name Transition<br />
== Summary ==<br />
<!-- A sentence or two summarizing what this feature is and what it will do. This information is used for the overall feature summary page for each release. --><br />
This change allows us to write a rule in policy that states if a process labeled A_t creates a file in a directory labeled B_t and the file is named "filename", it will get the label C_t.<br />
<br />
An example of this would be the administrator going into the /root directory and creating the .ssh directory. In previous versions of Fedora, the directory would get created admin_home_t, even though the policy requires it to be labelled ssh_home_t.<br />
<br />
Now we can write a rule in policy that states, if the unconfined_t process creates the ".ssh" directory in a directory labelled admin_home_t, then it will get created with the label ssh_home_t.<br />
<br />
== Owner ==<br />
<!--This should link to your home wiki page so we know who you are--><br />
* Name: [[User:dwalsh| Daniel J Walsh]]<br />
<br />
<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or technical issues need to be resolved--><br />
* Email: dwalsh@redhat.com<br />
<br />
== Current status ==<br />
* Targeted release: [Fedora 16] <br />
* Last updated: Friday June 10 2012<br />
* Percentage of completion: 100%<br />
<br />
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. --><br />
<br />
== Detailed Description ==<br />
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --><br />
SELinux has always had a problem of how to get the default labels on an object when the object is created. Up until now, their have been three ways of getting the initial label on an object.<br />
<br />
The default way an object gets labelled is to inherit the label of the parent directory. If you create a file named foo in a directory labelled etc_t, then foo will be labeled etc_t.<br />
<br />
This works well in most cases, but in some cases you want to have multiple files within a directory with different labels.<br />
<br />
Policy writers have the ability to overwrite this by writing a rule in policy that states, if a process with type a_t creates a object of class "file" in a directory labelled b_t, the object will get created c_t. One problem with this is that you might have a single program that is going to create multiple objects in the same directory where each object requires a separate directory.<br />
<br />
Some applications have SELinux awareness in them that allow them to ask the system what the label of a certain path should be and then they request from the kernel that the object be created with this label. Examples of applications with SELinux awareness are obviously rpm, restorecon, and udev. Another less known example of an application with SELinux is the password command. passwd recreates the /etc/passwd and /etc/shadow file. /etc/passwd should be labelled etc_t, and shadow should be labeled shadow_t. Because of this and some other concerns, the passwd command has SELinux awareness built into it, and it asks the kernel to create the /etc/passwd and /etc/shadow file with the correct default label.<br />
<br />
But we can not instrument every application that creates a file/directory on the system with SELinux awareness. So a user creating the public_html directory in his home directory using mkdir will create the directory with the label user_home_t instead of the correct httpd_user_content_t. An administrator creating the /etc/resolv.conf with sed will create the file labeled etc_t rather then net_conf_t. Or even the kernel creating /dev/rfcomm0 with the label device_t rather then tty_device_t. In these cases we have either required the user/administrator to run the restorecon command on the newly created object "restorecon ~/public_html", or we have added racy tools like restorecond or udev which watch for the creation of objects using inotify, and then relabel them with the correct label. All three of these end up creating an AVC for a confined domain, if not fixed before a confined domain tries to use the object.<br />
<br />
With File Name Transitions Features, policy writers can write rules that take into account the file name, not the file path. This is the basename of the file path. Since the kernel knows at the time of object creation the label of the containing directory, the label of the process creating the object and the objects Name. we can now write a policy rule that states,<br />
if an unconfined_t process creates a file named resolv.conf in a directory labelled etc_t, the file should get labeled resolv.conf.<br />
<br />
We have also added rules that state:<br />
<br />
* kernel_t creating a chr_file named rfconmm0 in a directory labelled device_t should create it labelled tty_device_t.<br />
** For Example /dev/rfcomm<br />
* sysadm_t creating a directory named .ssh in a directory labeled admin_home_t should create it labelled ssh_home_t. <br />
** Example: /root/.ssh<br />
* staff_t creating a directory named .public_html in a directory labeled user_home_dir_t should create it labelled http_user_content_t. <br />
** For Example /home/dwalsh/public_html<br />
<br />
Note: this feature is just about initial file creation. Objects with the wrong label on them will not be magically be fixed with this feature. This feature does not use the path to determine the label, since the path can be variable in the kernel. (Hard/Soft Links, Bind Mounts, Namespacing can all effect the path).<br />
<br />
== Benefit to Fedora ==<br />
<!-- What is the benefit to the platform? If this is a major capability update, what has changed? If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?--><br />
The major benefit to Fedora is the decrease of SELinux labelling errors, these policy changes will fix a large number of issues SELinux users have with SELinux. Over the years the largest amount of SELinux errors come down to incorrectly labeled files/directories, if we can work to make sure most of them are labelled correctly without the user or admin needing to understand how SELinux works, then the less likely for SELinux to create problems. This feature also has the potential to make the system more secure, because a badly labelled file might give other confined objects the chance to read/write the content. For example most confined applications should not be reading the contents of the .ssh directory, but if it gets the label of the users home directory by default (As it does in current Fedoras), a confined application may be allowed to read the private key file.<br />
<br />
== Scope ==<br />
<!-- What work do the developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--><br />
This change only effects Policy writers and the kernel. No other applications should be effected by this change.<br />
<br />
== How To Test ==<br />
<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this feature is expected to pass when it is done. If it needs to be tested with different hardware or software configurations, indicate them. The more specific you can be, the better the community testing can be. <br />
<br />
Remember that you are writing this how to for interested testers to use to check out your feature - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your feature.<br />
<br />
A good "how to test" should answer these four questions:<br />
<br />
0. What special hardware / data / etc. is needed (if any)?<br />
1. How do I prepare my system to test this feature? What packages<br />
need to be installed, config files edited, etc.?<br />
2. What specific actions do I perform to check that the feature is<br />
working like it's supposed to?<br />
3. What are the expected results of those actions?<br />
--><br />
<br />
This initial policy work has been done and effects the following directories, /root, $HOME, /dev, /etc.<br />
<br />
Things I would like to see checked. First make sure restorecond is not running. killall -9 restorecond.<br />
<br />
yum remove policycoreutils-restorecond<br />
<br />
# Public_html test.<br />
# useradd test<br />
# mkdir /home/test/public_html<br />
Verify /home/test/public_html is labelled correctly<br />
# restorecon -v /home/test/public_html # No output expected<br />
<br />
# Verify all files created when you graphically login are created with the correct label.<br />
Now login graphically to test account.<br />
# restorecon -R -v ~/test #Hopefully no output...<br />
<br />
# Creating /root/.ssh test<br />
# mv /root/.ssh /root/.ssh.old<br />
# mkdir /root/.ssh<br />
# restorecon -v /root/.ssh # No output expected<br />
# rmdir /root/.ssh<br />
# mv /root/.ssh.old /root/.ssh<br />
<br />
# Creating /etc/resolv.conf<br />
# mv /etc/resolv.conf /tmp<br />
# cp /tmp/resolv.conf /etc<br />
# restorecon -v /tmp/resolv.conf # No output expected<br />
<br />
# Bluetooth having the kernel create the device with the correct label<br />
Plugin in bluetooth device, no avc about bluetooth_t trying to interact with a device_t chr_file.<br />
<br />
# Verify the kernel will create files in the users home directory on the server with the correct label when shared over NFS.<br />
Setup nfs to share a users homedir, mount the homedir on a remote client and create the .public_html directory.<br />
Make sure on the server the directory gets created with the correct label.<br />
<br />
If you find other objects that could use this feature, open a bugzilla and we can discuss.<br />
<br />
== User Experience ==<br />
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --><br />
It really should not be noticed by the user, unless they are looking for it, although hopefully they will notice that SELinux is working better.<br />
<br />
== Documentation ==<br />
<!-- Is there upstream documentation on this feature, or notes you have written yourself? Link to that material here so other interested developers can get involved. --><br />
*<br />
<br />
== Release Notes ==<br />
<!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ --><br />
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns. If there are any such changes involved in this feature, indicate them here. You can also link to upstream documentation if it satisfies this need. This information forms the basis of the release notes edited by the documentation team and shipped with the release. --><br />
*<br />
<br />
== Comments and Discussion ==<br />
* See [[Talk:Features/YourFeatureName]] <!-- This adds a link to the "discussion" tab associated with your page. This provides the ability to have ongoing comments or conversation without bogging down the main feature page --><br />
<br />
<br />
[[Category:FeaturePageIncomplete]]<br />
<!-- When your feature page is completed and ready for review --><br />
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler --><br />
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete--><br />
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process --></div>Domg472https://fedoraproject.org/w/index.php?title=Features/SELinuxFileNameTransition&diff=241097Features/SELinuxFileNameTransition2011-06-10T12:13:52Z<p>Domg472: /* Detailed Description */</p>
<hr />
<div>= Feature Name <!-- The name of your feature --> =<br />
SELinux File Name Transition<br />
== Summary ==<br />
<!-- A sentence or two summarizing what this feature is and what it will do. This information is used for the overall feature summary page for each release. --><br />
This change allows us to write a rule in policy that states if a process labeled A_t creates a file in a directory labeled B_t and the file is named "filename", it will get the label C_t.<br />
<br />
An example of this would be the administrator going into the /root directory and creating the .ssh directory. In previous versions of Fedora, the directory would get created admin_home_t, even though the policy requires it to be labelled ssh_home_t.<br />
<br />
Now we can write a rule in policy that states, if the unconfined_t process creates the ".ssh" directory in a directory labelled admin_home_t, then it will get created with the label ssh_home_t.<br />
<br />
== Owner ==<br />
<!--This should link to your home wiki page so we know who you are--><br />
* Name: [[User:dwalsh| Daniel J Walsh]]<br />
<br />
<!-- Include you email address that you can be reached should people want to contact you about helping with your feature, status is requested, or technical issues need to be resolved--><br />
* Email: dwalsh@redhat.com<br />
<br />
== Current status ==<br />
* Targeted release: [Fedora 16] <br />
* Last updated: Friday June 10 2012<br />
* Percentage of completion: 100%<br />
<br />
<!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. --><br />
<br />
== Detailed Description ==<br />
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --><br />
SELinux has always had a problem of how to get the default labels on an object when the object is created. Up until now, their have been three ways of getting the initial label on an object.<br />
<br />
The default way an object gets labelled is to inherit the label of the parent directory. If you create a file named foo in a directory labelled etc_t, then foo will be labeled etc_t.<br />
<br />
This works well in most cases, but in some cases you want to have multiple files within a directory with different labels.<br />
<br />
Policy writers have the ability to overwrite this by writing a rule in policy that states, if a process with type a_t creates a object of class "file" in a directory labelled b_t, the object will get created c_t. One problem with this is that you might have a single program that is going to create multiple objects in the same directory where each object requires a separate directory.<br />
<br />
Some applications have SELinux awareness in them that allow them to ask the system what the label of a certain path should be and then they request from the kernel that the object be created with this label. Examples of applications with SELinux awareness are obviously rpm, restorecon, and udev. Another less known example of an application with SELinux is the password command. passwd recreates the /etc/passwd and /etc/shadow file. /etc/passwd should be labelled etc_t, and shadow should be labeled shadow_t. Because of this and some other concerns, the passwd command has SELinux awareness built into it, and it asks the kernel to create the /etc/passwd and /etc/shadow file with the correct default label.<br />
<br />
But we can not instrument every application that creates a file/directory on the system with SELinux awareness. So a user creating the public_html directory in his home directory using mkdir will create the directory with the label user_home_t instead of the correct httpd_user_content_t. An administrator creating the /etc/resolv.conf with sed will create the file labeled etc_t rather then net_conf_t. Or even the kernel creating /dev/rfcomm0 with the label device_t rather then tty_device_t. In these cases we have either required the user/administrator to run the restorecon command on the newly created object "restorecon ~/public_html", or we have added racy tools like restorecond or udev which watch for the creation of objects using inotify, and then relabel them with the correct label. All three of these end up creating an AVC for a confined domain, if not fixed before a confined domain tries to use the object.<br />
<br />
With File Name Transitions Features, policy writers can write rules that take into account the file name, not the file path. This is the basename of the file path. Since the kernel knows at the time of object creation the label of the containing directory, the label of the process creating the object and the objects Name. we can now write a policy rule that states,<br />
if an unconfined_t process creates a file named resolv.conf in a directory labelled etc_t, the file should get labeled resolv.conf.<br />
<br />
We have also added rules that state:<br />
<br />
* kernel_t creating a chr_file named rfconmm0 in a directory labelled device_t should create it labelled tty_device_t.<br />
** For Example /dev/rfcomm<br />
* sysadm_t creating a directory named .ssh in a directory labeled admin_home_t should create it labelled ssh_home_t. <br />
** Example: /root/.ssh<br />
* staff_t creating a directory named .public_html in a directory labeled user_home_dir_t should create it labelled http_user_content_t. <br />
** For Example /home/dwalsh/public_html<br />
<br />
Note: this feature is just about initial file creation. Objects with the wrong label on them will not be magically be fixed with this feature. This feature does not use the path to determine the label, since the path can be variable in the kernel. (Hard/Soft Links, Bind Mounts, Namespacing can all effect the path).<br />
<br />
== Benefit to Fedora ==<br />
<!-- What is the benefit to the platform? If this is a major capability update, what has changed? If this is a new feature, what capabilities does it bring? Why will Fedora become a better distribution or project because of this feature?--><br />
The major benefit to Fedora is the decrease of SELinux labelling errors, these policy changes will fix a large number of issues SELinux users have with SELinux. Over the years the largest amount of SELinux errors come down to incorrectly labeled files/directories, if we can work to make sure most of them are labelled correctly without the user or admin needing to understand how SELinux works, then the less likely for SELinux to create problems. This feature also has the potential to make the system more secure, because a badly labelled file might give other confined objects the chance to read/write the content. For example most confined applications should not be reading the contents of the .ssh directory, but if it gets the label of the users home directory by default (As it does in current Fedoras), a confined application may be allowed to read the private key file.<br />
<br />
== Scope ==<br />
<!-- What work do the developers have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?--><br />
This change only effects Policy writers and the kernel. No other applications should be effected by this change.<br />
<br />
== How To Test ==<br />
<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this feature is expected to pass when it is done. If it needs to be tested with different hardware or software configurations, indicate them. The more specific you can be, the better the community testing can be. <br />
<br />
Remember that you are writing this how to for interested testers to use to check out your feature - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your feature.<br />
<br />
A good "how to test" should answer these four questions:<br />
<br />
0. What special hardware / data / etc. is needed (if any)?<br />
1. How do I prepare my system to test this feature? What packages<br />
need to be installed, config files edited, etc.?<br />
2. What specific actions do I perform to check that the feature is<br />
working like it's supposed to?<br />
3. What are the expected results of those actions?<br />
--><br />
<br />
This initial policy work has been done and effects the following directories, /root, $HOME, /dev, /etc.<br />
<br />
Things I would like to see checked. First make sure restorecond is not running. killall -9 restorecond.<br />
<br />
yum remove policycoreutils-restorecond<br />
<br />
# Public_html test.<br />
# useradd test<br />
# mkdir ~test/.public_html<br />
Verify ~/test/.public_html is labeled correctly<br />
# restorecon -v ~/test/.public_html # No output expected<br />
<br />
# Verify all files created when you graphically login are created with the correct label.<br />
Now login graphically to test account.<br />
# restorecon -R -v ~/test #Hopefully no output...<br />
<br />
# Creating /root/.ssh test<br />
# mv /root/.ssh /root/.ssh.old<br />
# mkdir /root/.ssh<br />
# restorecon -v /root/.ssh # No output expected<br />
# rmdir /root/.ssh<br />
# mv /root/.ssh.old /root/.ssh<br />
<br />
# Creating /etc/resolv.conf<br />
# mv /etc/resolv.conf /tmp<br />
# cp /tmp/resolv.conf /etc<br />
# restorecon -v /tmp/resolv.conf # No output expected<br />
<br />
# Bluetooth having the kernel create the device with the correct label<br />
Plugin in bluetooth device, no avc about bluetooth_t trying to interact with a device_t chr_file.<br />
<br />
# Verify the kernel will create files in the users home directory on the server with the correct label when shared over NFS.<br />
Setup nfs to share a users homedir, mount the homedir on a remote client and create the .public_html directory.<br />
Make sure on the server the directory gets created with the correct label.<br />
<br />
If you find other objects that could use this feature, open a bugzilla and we can discuss.<br />
<br />
== User Experience ==<br />
<!-- If this feature is noticeable by its target audience, how will their experiences change as a result? Describe what they will see or notice. --><br />
It really should not be noticed by the user, unless they are looking for it, although hopefully they will notice that SELinux is working better.<br />
<br />
== Documentation ==<br />
<!-- Is there upstream documentation on this feature, or notes you have written yourself? Link to that material here so other interested developers can get involved. --><br />
*<br />
<br />
== Release Notes ==<br />
<!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ --><br />
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns. If there are any such changes involved in this feature, indicate them here. You can also link to upstream documentation if it satisfies this need. This information forms the basis of the release notes edited by the documentation team and shipped with the release. --><br />
*<br />
<br />
== Comments and Discussion ==<br />
* See [[Talk:Features/YourFeatureName]] <!-- This adds a link to the "discussion" tab associated with your page. This provides the ability to have ongoing comments or conversation without bogging down the main feature page --><br />
<br />
<br />
[[Category:FeaturePageIncomplete]]<br />
<!-- When your feature page is completed and ready for review --><br />
<!-- remove Category:FeaturePageIncomplete and change it to Category:FeatureReadyForWrangler --><br />
<!-- After review, the feature wrangler will move your page to Category:FeatureReadyForFesco... if it still needs more work it will move back to Category:FeaturePageIncomplete--><br />
<!-- A pretty picture of the page category usage is at: https://fedoraproject.org/wiki/Features/Policy/Process --></div>Domg472https://fedoraproject.org/w/index.php?title=Test_Day:2011-02-03_GNOME3_Alpha&diff=219840Test Day:2011-02-03 GNOME3 Alpha2011-02-07T11:00:27Z<p>Domg472: </p>
<hr />
<div>{{autolang|base=yes}}<br />
<br />
{{Infobox_group<br />
| name = Fedora Test Days<br />
| image = [[File:Echo-testing-48px.png|link=QA/Fedora_15_test_days]]<br />
| caption = [[Features/Gnome3|GNOME 3 (pre-F15 Alpha)]]<br />
| date = 2011-02-03<br />
| time = all day<br />
| website = http://www.gnome3.org<br />
| irc = [irc://irc.freenode.net/#fedora-test-day #fedora-test-day] ([http://webchat.freenode.net/?channels=fedora-test-day webirc])<br />
| fedora_mailing_list = test<br />
}}<br />
<br />
{{admon/note | Can't make the date? | If you come to this page before or after the test day is completed, your testing is still valuable, and you can use the information on this page to test, file any bugs you find at [http://bugzilla.redhat.com Bugzilla], and add your results to the results section. If this page is more than a month old when you arrive here, please check the [[QA/Test_Days|current schedule]] and see if a similar but more recent Test Day is planned or has already happened.}}<br />
<br />
== What to test? ==<br />
<br />
Today's installment of Fedora Test Day will focus on '''[[Features/Gnome3|GNOME 3]]'''. This is the first of three Fedora 15 Test Days focusing on GNOME 3. The goal of these events is to test as much as possible of the functionality of GNOME 3 to ensure that it works correctly and provides the necessary basic features for a day-to-day usable desktop.<br />
<br />
{{admon/warning | Big changes ahead | Remember, this ain't your momma's GNOME - the overall user experience of GNOME 3 is very different from GNOME 2. It's fine to ask about the changes and make feature requests, but before filing a bug on something that's 'missing' from GNOME 2, please ask in [irc://irc.freenode.net/#fedora-test-day #fedora-test-day] to make sure it's not an intended change. There should always be someone there who can answer your question. Thanks!}}<br />
<br />
[[File:Gnome3-overview.png|link=http://www.gnome3.org/img/overview-big.png]]<br />
<br />
== Who's available ==<br />
<br />
The following cast of characters will be available testing, workarounds, bug fixes, and general discussion ...<br />
* Development - [[User:Mclasen|Matthias Clasen]] (mclasen)<br />
* Quality Assurance - [[User:Adamwill|Adam Williamson]] (adamw)<br />
<br />
== Prerequisite for Test Day == <br />
<br />
* An updated [[Releases/Rawhide|Rawhide]] (tips on installing Rawhide below), or the [[#Live_image|specific Test Day live image]].<br />
* Your hardware profile uploaded to [http://www.smolts.org Smolt] according to [http://smolts.org/smolt-wiki/Main_Page#Usage these instructions]<br />
{{admon/important|Smolt not working?|Smolt was broken in Rawhide until very recently. A fixed build is available and included in the Test Day live images. To upgrade {{package|smolt}} in an installed Rawhide system, run:<br />
<pre><br />
mkdir smolttemp<br />
cd smolttemp<br />
koji download-build --arch noarch 216715<br />
su -c 'yum localinstall smolt-1.4.3-2.fc15.noarch.rpm smolt-firstboot-1.4.3-2.fc15.noarch.rpm smolt-gui-1.4.3-2.fc15.noarch.rpm'<br />
</pre><br />
}}<br />
* For most testing, a graphics adapter capable of compositing: we are aiming to support all NVIDIA GeForce adapters, all Intel adapters except for GMA 500 (Poulsbo) and pre-i915 (i8xx) adapters, and all ATI/AMD Radeon adapters. If you are using an unsupported adapter, you can still help us with fallback testing - see below.<br />
<br />
{{admon/important|Unsupported adapters|Some adapters are known to be currently not working or problematic with the Shell. NVIDIA GeForce 400 series (Fermi / NVC0) adapters currently have no acceleration support and should fall back to compatibility mode (see the fallback testing section below). GeForce FX adapters may exhibit poor performance. Interaction may fail with GeForce 2 / GeForce 4 MX adapters, making the desktop effectively unusable.}}<br />
<br />
{{admon/important|Shell will not work in VirtualBox or virt-manager / KVM|Virtual machines without 3D acceleration pass-through support will not be suitable for most testing: the Shell will not run in these configurations. Also, even though some VirtualBox editions have passthrough support, the current Fedora implementation does not support it, so Shell will not work in VirtualBox either. If you are using a virtual machine, you can still help us with fallback testing - see below.}}<br />
<br />
Also helpful, if you have or can get them:<br />
<br />
* Additional displays (monitors, TVs...)<br />
* As many storage devices as you can access<br />
* Optical media (burned, commercially pressed, and blank burnable, CDs, DVDs and Blu-Rays)<br />
* Graphics adapters, virtual machines, or driver configurations not capable of compositing, to test fallback support (see below)<br />
<br />
== How to test? ==<br />
<br />
As this event comes before the release of Fedora 15 Alpha, you will need a Rawhide installation or live image to perform the testing.<br />
<br />
=== Live image ===<br />
<br />
{{admon/important|Getting the right Live image|The live images for the Test Day are in progress. The x86_64 and i686 images are uploaded now, but please check the SHA256SUM is correct before booting! If you downloaded a nightly live image as linked from this page before the date of the Test Day, please discard it and test with the dedicated images linked below.}}<br />
<br />
You may download a non-destructive Rawhide live image for your architecture. Tips on using a live image are available at [[FedoraLiveCD]]. Note that these 2 images are not CD-sized so should be used either on a DVD or a thumb drive.<br />
<br />
{|<br />
!colspan=2|Architecture !! SHA256SUM <br />
|- <br />
| [http://adamwill.fedorapeople.org/gnome3_test_day_20110203/gnome3_test_20110203_i686.iso i686] || [http://felix.fetzig.org/gnome3-test/gnome3_test_20110203_i686.iso European Mirror] || 7a64b577dbb59a2848d42536bccc2e278086ec0b3092e59f93cb6c9cb42f2426<br />
|-<br />
| [http://adamwill.fedorapeople.org/gnome3_test_day_20110203/gnome3_test_20110203.iso x86_64] || [http://felix.fetzig.org/gnome3-test/gnome3_test_20110203.iso European Mirror] || efda505e3b9deb900116aa6249da293853cedbd1e596d83ae3b4dc5800b4a184<br />
|-<br />
|}<br />
<br />
'''Post-live image updates'''<br />
<br />
The following updates that fix known bugs are available beyond what is included in the live image:<br />
<br />
* [http://koji.fedoraproject.org/koji/buildinfo?buildID=216936 control-center-2.91.6-4.fc15] - fixes a crash on running the '''Region and Language''' configuration panel, and the '''Date and Time''' panel<br />
* [http://koji.fedoraproject.org/koji/buildinfo?buildID=216924 gnome-bluetooth-2.91.5-4.fc15] - fixes a crash on running the '''Bluetooth''' configuration panel<br />
* [http://koji.fedoraproject.org/koji/buildinfo?buildID=216898 gnome-shell-2.91.6-4.fc15] - fixes the bluetooth system icon not appearing: {{bz|674874}}<br />
<br />
Using the live image is the easiest way to participate in testing for most people, but alternatively you can:<br />
<br />
=== Update your machine to Rawhide ===<br />
<br />
If you want to try Rawhide, see the instructions on the [[Releases/Rawhide|Rawhide]] page on the various ways in which you can install or update to Rawhide. For now, you will also need to add a repository definition to {{filename|/etc/yum.repos.d}} for the [http://koji.fedoraproject.org/static-repos/dist-rawhide-current/ Koji Rawhide repo] and update using that, as Rawhide proper does not yet have all the necessary packages. You may need to remove some packages for the upgrade to proceed, and you should remove {{package|at-spi2-atk}} and all packages ibus-* as they cause significant issues (crash when typing in any GTK+ 3 application including the Shell itself, and inability to type in dialog boxes) if installed. '''Using the live image is easier and highly recommended'''.<br />
<br />
== Perform testing ==<br />
<br />
Please perform as many of the test cases listed as you have the time and the resources to complete, and fill out your results in the table below. You do not need a Fedora account to fill in the table.<br />
<br />
=== Fallback testing ===<br />
<br />
* [[QA:Testcase_gnome3_fallback]]<br />
<br />
This test case will test that GNOME falls back correctly to a 'classic' environment if your hardware does not support the GNOME Shell. If your hardware starts GNOME Shell correctly, please leave the fallback test column empty, and fill in the other test result columns. If your hardware is unable to start GNOME Shell, but falls back correctly to a classic environment, please mark the fallback test in the results table as 'pass', and leave the other test columns empty. If your hardware is unable to start GNOME Shell, and does not fall back correctly to a classic environment, please mark the fallback test in the results table as 'fail', file a bug against {{package|gnome-session}}, and leave the other test columns empty.<br />
<br />
=== Regular tests ===<br />
<br />
* [[QA:Testcase_desktop_uri]] - '''NOTE''': GNOME 3 does '''not''' provide a configuration interface for preferred applications, so skip that step; this is intended<br />
* [[QA:Testcase_desktop_common_shortcuts]]<br />
* [[QA:Testcase_desktop_date]] - '''ERRATA''': GNOME date/time config applet seems to crash on launch on live images, works on an installed desktop; may be a missing dependency<br />
* [[QA:Testcase_desktop_keyring]]<br />
* [[QA:Testcase_gnome-shell_dash]]<br />
* [[QA:Testcase_gnome-shell_overview_search]]<br />
* [[QA:Testcase_gnome_desktop_background]]<br />
* [[QA:Testcase_generic_video_glx]]<br />
* [[QA:Testcase_generic_video_multihead]]<br />
* [[QA:Testcase_evince_file_display]]<br />
* [[QA:Testcase_firefox_browse]]<br />
* [[QA:Testcase_firefox_media]]<br />
* [[QA:Testcase_totem_basic]]<br />
* [[QA:Testcase_vino_vinagre_connect]]<br />
* [[QA:Testcase_desktop_automount]] - '''NOTE''': there will be no file manager on the Desktop, see [https://mail.gnome.org/archives/nautilus-list/2010-September/msg00008.html this mail] for the design decision behind it<br />
* [[QA:Testcase_desktop_menus]]<br />
<br />
=== Unplanned testing ===<br />
<br />
As well as running the formal test cases, you can help simply by running GNOME 3 and reporting any problems you come across in the course of your typical use, even if they do not match up with any of the test cases. Please remember, though, that just being different from GNOME 2 is not necessarily a problem, and check in [irc://irc.freenode.net/#fedora-test-day #fedora-test-day] before you file a bug.<br />
<br />
'''NOTE''': There are [http://koji.fedoraproject.org/koji/buildinfo?buildID=216849 updated control-center packages] if you experience crashes in the "Region and Language" panel<br />
<br />
== Test Results ==<br />
<br />
If you have problems with any of the tests, try and report a bug. Most bugs in this event should be reported to [http://bugzilla.gnome.org GNOME Bugzilla]. Bugs that are clearly issues in Fedora GNOME integration should be reported to [http://bugzilla.redhat.com Fedora Bugzilla]. You will need an account to report bugs, but creating one is easy, and we will help you do this if you ask in [irc://irc.freenode.net/#fedora-test-day IRC]. <br />
<br />
If you are not sure of the appropriate component, please check in [irc://irc.freenode.net/#fedora-test-day IRC] before filing, there are many possibilities. If you are unsure about exactly how to file the report or what other information to include, just ask on [irc://irc.freenode.net/#fedora-test-day IRC] and we will help you. <br />
<br />
Once you have completed the tests, add your results to the Results table below, following the example results from the first line as a template. The first column should be your name with a link to your User page in the Wiki if you have one, and the second should be a link to the Smolt profile of the system you tested. For each test case, use the ''result'' template to describe your result, following the examples in the ''Sample user'' row.<br />
<br />
<!--<br />
{|<br />
! User<br />
! Smolt Profile<br />
! [[QA:Testcase desktop browser|Desktop Browser]]<br />
! [[QA:Testcase_desktop_login|Desktop Login]]<br />
! [[QA:Testcase_audio_basic|Audio Basic]]<br />
! [[QA:Testcase_desktop_automount|Desktop Automount]]<br />
! [[QA:Testcase_desktop_menus|Desktop Menus]]<br />
! [[QA:Testcase_desktop_keyring|Desktop Keyring]]<br />
! References<br />
| [[User:sacular|Andrew Lucas]]<br />
| [http://www.smolts.org/client/show/pub_6a28d344-4a04-492a-bdd9-3b531c999283 HW]<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| [[QA:Testcase_desktop_login|Desktop Login]]<br />
| [[QA:Testcase_audio_basic|Audio Basic]]<br />
| [[QA:Testcase_desktop_automount|Desktop Automount]]<br />
| [[QA:Testcase_desktop_menus|Desktop Menus]]<br />
| [[QA:Testcase_desktop_keyring|Desktop Keyring]]<br />
| <references/><br />
|-<br />
| [[User:dlesage|David Le Sage (Red Hat)]]<br />
| [http://www.smolts.org/client/show/pub_97f2bc7d-2209-49fd-885d-3ce26fe9b1f4 HW]<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| <references/><br />
|-<br />
| [[User:kenda|kenda]]<br />
| [http://www.smolts.org/client/show/pub_422763f9-0a2d-42f9-9a58-13379418e158 HW]<br />
| {{result|none}}<br />
| {{result|warn}} <ref>blank entry in gdm for users without a real name.</ref><br />
| {{result|pass}} <br />
| {{result|pass}}<br />
| {{result|fail}} <ref>Using the live image of 31.01. there is a 'Other' menu.</ref><ref>System Settings -> Network has no icon.</ref><br />
| {{result|none}}<br />
| <references/><br />
|-<br />
| [[User:doronbr770|Doron]]<br />
| [http://smolts.org/client/show/?uuid=pub_334d317e-9a1d-42bb-817c-3796cc266bbe HW]<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}} <br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| <references/><br />
|-<br />
| [[User:japafi|japafi]]<br />
| [http://www.smolts.org/client/show/pub_763c7014-7669-4415-bb05-ea8873eb3aba HW]<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}} <br />
| {{result|pass}}<br />
| {{result|warn}}<ref>Character map application {{bz|669891}}</ref><ref>Gedit {{bz|673674}}</ref><ref>tested: Accessories, Graphics (excl simple scan), Internet </ref><br />
| {{result|pass}}<br />
| <references/><br />
|-<br />
| [[User:kato|kato]]<br />
| [http://www.smolts.org/client/show/pub_6fc492b8-bf9d-4236-bfef-949cecdb4f85 HW]<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|fail}}<ref>No Sound from the Sound Card. I tried to modifiy Sound Setting but when I tried to test the Speaker it crash {{bz|669037}} and {{bz|669279}}</ref><br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| <references/><br />
|-<br />
| [[User:andreskru|andreskru]]<br />
| []<ref>smolt doesnt work "ImportError: No module named devicelist" </ref><br />
| {{result|warn}}<ref> when i do alt+f2 i cant input text in text box "please enter a command" </ref><br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| <references/><br />
|-<br />
| [[User:HUK|HUK]]<br />
| [http://www.smolts.org/client/show/pub_d9f294cf-f40d-4024-8dac-068698a7dbc8 HW]<ref>smoltSendProfile gives error ImportError: No module named devicelist</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}}<ref>All the applications disappeared after installing some additional program(chrome and vlc). They only came back after relogin</ref><br />
| {{result|pass}}<br />
| <references/><br />
|-<br />
| [[User:Dramsey|David Ramsey]]<br />
| Add 32-bit Smolt Profile HW URL <ref>Dell Precision eight core with i686 support use new smolt at http://koji.fedoraproject.org/koji/buildinfo?buildID=216715</ref><br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| <references/><br />
|-<br />
| [[User:Dramsey|David Ramsey]]<br />
| Add 64-bit Smolt Profile HW URL <ref>Dell Precision eight core with x86_64 support use new smolt at http://koji.fedoraproject.org/koji/buildinfo?buildID=216715</ref><br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| <references/><br />
|}<br />
--><br />
<br />
{|<br />
! User<br />
! Smolt Profile<br />
! [[QA:Testcase_gnome3_fallback|Fallback]]<br />
! [[QA:Testcase_desktop_uri|URIs]]<br />
! [[QA:Testcase_desktop_common_shortcuts|Shortcuts]]<br />
! [[QA:Testcase_desktop_date|Date]]<br />
! [[QA:Testcase_desktop_keyring|Keyring]]<br />
! [[QA:Testcase_gnome-shell_dash|Dash]]<br />
! [[QA:Testcase_gnome-shell_overview_search|Search]]<br />
! [[QA:Testcase_gnome_desktop_background|Background]]<br />
! [[QA:Testcase_generic_video_glx|GL]]<br />
! [[QA:Testcase_generic_video_multihead|Multihead]]<br />
! [[QA:Testcase_evince_file_display|Evince]]<br />
! [[QA:Testcase_firefox_browse|Browse]]<br />
! [[QA:Testcase_firefox_media|Web media]]<br />
! [[QA:Testcase_totem_basic|Totem]]<br />
! [[QA:Testcase_vino_vinagre_connect|VNC]]<br />
! [[QA:Testcase_desktop_automount|Mount]]<br />
! [[QA:Testcase_desktop_menus|Menus]]<br />
! References<br />
|-<br />
| [[User:SampleUser|Sample User]]<br />
| [http://www.smolts.org/client/show/pub_84465125-1350-4f83-87b9-5f16f7430eb8 HW]<br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}} <ref>Test pass, but also encountered {{bz|54321}}</ref><br />
| {{result|fail}} <ref>{{bz|12345}}</ref><br />
| <references/><br />
|-<br />
| [[User:Salimma|Michel Salim]]<br />
| [http://www.smolts.org/client/show/pub_7728cbd6-2101-45d7-9198-8490dd15b8bb HW]<br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}} <ref>Cannot type anything in search box</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|fail}} <ref>Nautilus does not even show desktop icons properly</ref><br />
| {{result|warn}} <ref>Most of the time all icons show up. Sometimes it appears that some component fail during GNOME start-up: some icons missing, GTK theme reverting to default, and the background is a solid black, but likely a settings-daemon problem.</ref><br />
| <references/><br />
|-<br />
|-<br />
| [[User:Athmane|Athmane Madjoudj]]<br />
| [http://www.smolts.org/client/show/pub_05b7a231-0535-4e97-869a-a55296dbdbbd HW]<br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}} <ref>Can't type</ref><br />
| {{result|pass}}<br />
| {{result|warn}} <ref>When power is on AC there's an odd sound out from laptop screen</ref><br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}} <br />
| {{result|none}} <br />
| {{result|none}} <br />
| {{result|fail}} <ref>There's no desktop icons</ref><br />
| {{result|pass}}<br />
| <references/><br />
|-<br />
| [[User:lewis41 | lewis41]]<br />
| [http://www.smolts.org/client/show/pub_1179288c-7f57-498e-a5c0-3d9b2f0ffa2d HW]<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}} <ref>No input</ref><br />
| {{result|fail}} <ref>Color & gradient test, crash X System {{bz|674986}}</ref><br />
| {{result|pass}}<br />
| {{result|}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}} <ref>OGG has flickering </ref><br />
| {{result|warn}} <ref>OGG has flickering </ref><br />
| {{result}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| <references/><br />
|-<br />
| [[User:Kenda]]<br />
| [http://www.smolts.org/client/show/pub_11101de2-e2bb-44e2-a535-2f70479cbbb7 HW]<br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}} <ref>{{bz|674858}}</ref><br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|warn}} <ref>{{bz|670511}}</ref><ref>{{bz|675014}}</ref><br />
| {{result|pass}}<br />
| {{result|pass}} <br />
| {{result|warn}} <ref>I'm not sure, but shouldn't pressing "," go one scene rewards? In case it should: it doesn't.</ref><br />
| {{result|pass}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| <references/><br />
|-<br />
| [[User:Landgraf|Pavel Zhukov]]<br />
| [http://www.smolts.org/client/show/pub_84465125-1350-4f83-87b9-5f16f7430eb8 HW]<br />
| {{result|none}} <br />
| {{result|fail}}<br />
| {{result|fail}} <ref> CC crashed, cannot change layout </ref><br />
| {{result|warn}} <ref> CC crashed, after updating - pass </ref><br />
| {{result|pass}} <br />
| {{result|pass}}<br />
| {{result|fail}} <ref> cannot change layout </ref><br />
| {{result|none}} <br />
| {{result|fail}}<br />
| {{result|fail}} <ref> CC crashed,Xorg crashed</ref><br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| <references/><br />
|-<br />
| [[User:Johannbg|Viking-Ice]]<br />
| [http://www.smolts.org/client/show/pub_50654d94-d825-48ac-8faf-c4fb55ec39f2 HW]<br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<ref>{{bz|674858}}</ref><ref>{{bz|674879}}</ref><ref>{{bz|674884}}</ref><br />
| {{result|pass}} <br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| <references/><br />
|-<br />
| [[User:pfps]]<br />
| [http://www.smolts.org/client/show/pub_c4964ae3-6563-4914-b1ae-0d82986e4511 HW]<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}} Severe problems with rotation<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}} <br />
| <references/><br />
|-<br />
| [[User:pfps]] ThinkPad T60p<br />
| [http://www.smolts.org/client/show/pub_d01e45ee-a29a-4422-a282-df79388712ea HW]<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}} Problems with rotation and menu placement<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| <references/><br />
|-<br />
| [[User:Ykopkova|Yulia Kopkova]]<br />
| [http://www.smolts.org/client/show/pub_fa1231ed-664e-42fc-a98d-b02a7b2c01a7 HW]<br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}} <ref>{{bz|674879}}</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}} <ref>{{bz|675005}}</ref> <ref>{{bz|675003}}</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}} <ref>{{bz|675013}}</ref><br />
| {{result|none}}<br />
| {{result|fail}} <ref>[https://bugzilla.gnome.org/show_bug.cgi?id=605767 bz605767]</ref> <br />
| {{result|pass}} <br />
| <references/><br />
|-<br />
| [[User:Masami]]<br />
| [http://www.smolts.org/client/show/pub_37513906-3dbb-4b1b-8661-85618921ff68 HW]<br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<ref>{{bz|674856}}</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|warn}}<ref>{{bz|674871}}</ref><br />
| {{result|fail}}<ref>{{bz|674877}}</ref><ref>{{bz|674850}}</ref><br />
| <references/><br />
|-<br />
| [[User:Tflink|Tim Flink]]<br />
| [http://smolts.org/client/show_all/pub_e194a3c2-9f97-4e11-9365-ade2256c6884 HW]<br />
| {{result|pass}} <ref>fallback after gnome shell hung {{bz|674887}}</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}} <ref>CC crashes when date/time is launched</ref><br />
| {{result|pass}}<br />
| <ref>Keep getting freezes, going to skip some of the rest</ref><br />
| <br />
| {{result|fail}} <ref> {{bz|674856}} </ref><br />
| {{result|pass}}<br />
| <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}} <ref>Worked for all but ogg, which froze. Xorg and sys log indicate nouveau issue. Sound is barely audible at full volume</ref><br />
| {{result|warn}} <ref>more nouveau issues</ref><br />
| <br />
| {{result|pass}} <br />
| {{result|warn}} <ref>again, nouveau issues</ref><br />
| <references/><br />
|-<br />
| esizikov<br />
| [http://www.smolts.org/client/show/pub_8e9338ad-a6ef-4c61-9f08-7e672549b7f5 HW]<br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}} <br />
| {{result|pass}} <br />
| <references/><br />
|-<br />
| [[User:Pfrields|Paul Frields]]<br />
| [http://smolts.org/client/show_all/pub_7b92b697-961b-4634-a84d-5f6850dfc753 HW]<br />
| <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}}<br />
| {{result|fail}}<ref>[[gnomebug:641376]]</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| <!-- no 2nd monitor available for this hw --><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}}<ref>Vinagre client worked OK, vino server not accepting connections</ref><br />
| {{result|pass}}<br />
| {{result|inprogress}}<br />
| <references/><br />
|-<br />
| [[User:Mcloaked|Mike Cloaked]]<br />
| [http://www.smolts.org/client/show/pub_90235bed-08f2-4a23-ad0a-49cfb124f8f7 HW]<br />
| <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}}<br />
| {{result|fail}}<ref>[[gnomebug:641376]]</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| <!-- no 2nd monitor available for this hw --><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}}<ref>Vinagre client not tested</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| <references/><br />
|-<br />
| [[User:Mcloaked|Mike Cloaked]]<br />
| [http://www.smolts.org/client/show/pub_d5eda90b-555a-47f0-adee-d7a729948bf8 HW]<br />
| <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<ref>[[gnomebug:641376]]</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<ref>usbkey not tested</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| <!-- no 2nd monitor available for this hw --><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}}<ref>Vinagre client not tested</ref><br />
| {{result|pass}}<ref>usbkey not tested</ref><br />
| {{result|pass}}<br />
| <references/><br />
|-<br />
| [[User:Mcloaked|Mike Cloaked]]<br />
| [http://www.smolts.org/client/show/pub_2bb702f0-147a-4fc8-a346-8669fd8bb27e HW]<br />
| <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<ref>[[gnomebug:641376]]</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<ref>usbkey not tested</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| <!-- no 2nd monitor available for this hw --><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<ref>slightly hesitant video due slow processor</ref><br />
| {{result|pass}}<br />
| {{result|warn}}<ref>Vinagre client not tested</ref><br />
| {{result|none}}<ref>usbkey not tested</ref><br />
| {{result|pass}}<br />
| <references/><br />
|-<br />
| [[User:Pfrields|Paul Frields]]<br />
| [http://www.smolts.org/client/show/pub_712c4340-5618-4510-a7d9-ce737712c29c HW]<br />
| <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}}<ref>Works when running ''system-config-date'' or ''date''</ref><br />
| {{result|fail}}<ref>[[gnomebug:641376]]</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<ref>repeated calls to CC display cause unpredictable failure (nouveau, G86/GeForce 8400M GS 10de:0427)</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}}<ref>Vinagre client worked OK, vino server not accepting connections</ref><br />
| {{result|pass}}<br />
| {{result|inprogress}}<br />
| <references/><br />
|-<br />
| kubo<br />
| [http://www.smolts.org/client/show/pub_864b0792-044b-47fb-a687-2eba5445b085 HW]<br />
| <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}}<ref>crash on liveCD</ref><br />
| {{result|pass}}<br />
| {{result|warn}}<ref>doesn't display more than 13 apps (on my monitor), bug is in upstream</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}}<ref>{{bz|674939}}</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<ref>only USB mount tested becouse of liveCD</ref><br />
| {{result|none}}<br />
| <references/><br />
|-<br />
| [[User:Cra|Chuck Anderson]]<br />
| [http://www.smolts.org/client/show/pub_3a2cf40c-0037-46c0-a593-c730c3cb4bcf HW]<br />
|<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}}<ref>tz change from shell doesn't take effect work</ref><ref>date/time prefs crash after changing tz from s-c-d</ref><br />
| {{result|pass}}<br />
| {{result|warn}}<ref>Right-clicking on a running application's Dash icon that is running in another workspace does not bring it into view</ref><br />
| {{result|pass}}<br />
| {{result|warn}}<ref>Adding new pictures to Pictures folder requires closing/re-opening Background settings for them to appear</ref><br />
| {{result|pass}}<br />
| {{result|inprogress}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}}<ref>Issues seeking in sunflower.webm [[gnomebug:641452]]</ref><br />
| {{result|fail}}<ref>Client works fine. Had to disable iptables for server to work. Shell overview mode doesn't work correctly over VNC.</ref><br />
| {{result|fail}}<ref>Eject icon fails most of the time.{{bz|674856}}</ref><br />
| {{result|inprogress}}<br />
| <references/><br />
|-<br />
| [[User:Strazhce|Strazhce]]<br />
| [http://www.smolts.org/client/show/pub_36fe8ad8-0aa5-44b4-b9ce-2931ba4795a8 HW]<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|fail}}<ref>10. Mute did nothing. Xev shows no events for this button both in gentoo and fedora test image. "Normal" situation.[[http://www.smolts.org/client/show/pub_4c1f740b-12fb-4bc9-97d5-ee6c2d1c9ac5|different smolt]]</ref><br />
| {{result|fail}}<ref>[[gnomebug:641360]]</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<ref>9. Supports reordering of icons, but always adds as favorite on reordering. This is annoying. Bug/feature?.[[gnomebug:641454]]</ref><br />
| {{result|pass}}<br />
| {{result|fail}}<ref>5. If I change background, this dropdown is not visible. I have to close app and start it again to change options.[[gnomebug:641458]]</ref><br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<ref>When playing [[http://people.opera.com/shwetankd/webm/sunflower.webm|sunflower video]] video hanged [[gnomebug:641452]]</ref><br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| <references/><br />
|-<br />
| [[User:zzrough|Stéphane Démurget]]<br />
| [http://www.smolts.org/client/show/pub_62636238-d3a3-48b9-a947-80c3b78409d0 HW]<br />
| {{result|}}<br />
| {{result|pass}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<ref> [[https://bugzilla.redhat.com/show_bug.cgi?id=675028 BZ#675028]]</ref><br />
| <references/><br />
|-<br />
| [[User:zzrough|Stéphane Démurget]]<br />
| [http://www.smolts.org/client/show/pub_6d069d23-3a91-4505-ba4a-4e9a983e774c HW]<br />
| {{result|fail}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| <references/><br />
|-<br />
| [[User:Heffer|Felix Kaechele]]<br />
| [http://www.smolts.org/client/show/pub_75db7e20-7090-4c9c-ab20-031def8a4c24 HW]<br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}} <br />
| {{result|pass}} <br />
| <references/><br />
|-<br />
| [[User:Watzkej|John Watzke]]<br />
| [http://www.smolts.org/client/show/pub_6cc909c0-6b41-4422-b395-c0d7d2042d38 Lenovo T500]<br />
| {{result|pass}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}} <ref> [[https://bugzilla.redhat.com/show_bug.cgi?id=674858 BZ#674858]]</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}} <br />
| {{result|pass}} <br />
| <references/><br />
|-<br />
| lithpr<br />
| [http://www.smolts.org/client/show/pub_62082a20-89d0-4176-8213-f7feb03ad474 HW]<br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}} <br />
| {{result|none}} <br />
| <references/><br />
|-<br />
| gelirhil<br />
| [http://www.smolts.org/tokens/token_json?uuid=30bf76b5-b4d5-405d-aa63-a1c8aff95a73 HW]<br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}} <br />
| {{result|pass}} <br />
| <references/><br />
|-<br />
| mira<br />
| [http://www.smolts.org/client/show/pub_94b448bc-4277-4c30-89cc-0c2b7047f9ca HW]<br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|warn}} <ref> no visual feedback for mute (like vol-up and vol-down have), I also would expect that second press of "mute" button will "unmute" sound, but it doesn't. Pressing "vol-up" or "vol-down" does it. </ref><br />
| {{result|warn}} <ref> different time in gnome3 applet and system-config-date </ref><br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}} <ref> background control didn't started </ref><br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}} <ref> I was able connect from LiveCD to other machine, but not oppositely (second machine debian) </ref><br />
| {{result|pass}} <br />
| {{result|pass}} <br />
| <references/><br />
<br />
|-<br />
| [[User:japafi|japafi]]<br />
| [http://www.smolts.org/client/show/pub_4968aed2-d9cb-4587-91d4-ab1b54a8bf96 HW]<br />
| {{result|none}} <br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}} <br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}} <br />
| {{result|none}} <br />
| {{result|none}} <br />
| <references/><br />
|-<br />
| [[User:bubeck|Tilmann Bubeck]]<br />
| [http://www.smolts.org/client/show/pub_addd761b-65c2-4422-9fb6-1b6c9fee60ba HW]<br />
| {{result|none}} <br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}} <ref>Test pass, but adding or removing a monitor was not detected automatically. Starting xrandr or gnome-control-center did a "refresh" and the change was seen by Fedora.</ref><br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}} <br />
| {{result|none}} <br />
| <references/><br />
|-<br />
| [[User:Nathant|Nathan Thomas]]<br />
| [http://www.smolts.org/show?uuid=pub_f382dbb7-985d-4594-8d8c-515d86a26628 Smolt]<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}} <ref> [[https://bugzilla.redhat.com/show_bug.cgi?id=674858 BZ#674858]]</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|warn}} <ref>evince loses focus on window when zoom keyboard shortcuts are pressed</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}} <ref>No optical drive on my machine but USB stick works fine</ref><br />
| {{result|none}} <br />
| <references/><br />
|-<br />
| [[User:arouse|arouse livecd image]]<br />
| [http://www.smolts.org/client/show/pub_c06f7e3f-6b9f-473c-aa57-9547d82c7108 Smolt]<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}} <ref>bugzilla 674856. system-config-date and date work. desktop panel one hour ahead (DST problem?)</ref><br />
| {{result|warn}} <ref>works, but am unable to log out properly</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}} <ref>pictures for background that are large (like Garden.jpg) show differently on preview than on screen</ref> <br />
| {{result|pass}} <ref>listed as "unknown" in Dash. 60 fps</ref><br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|fail}} <ref>booting with attached USB storage will not automount</ref><br />
| {{result|none}} <br />
| <references/><br />
|-<br />
| [[User:jsmith|Jared Smith]]<br />
| [http://www.smolts.org/client/show/pub_26539d83-4c1c-4faf-890e-a21653456e58 Smolt]<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<ref>{{bz|674999}}</ref><br />
| {{result|warn}}<ref>https://bugzilla.gnome.org/show_bug.cgi?id=641376</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<ref>The "Date and Time" icon showed up twice, once as "Date and Time" and once as "Date & Time". Note the difference between "and" and "&".</ref><br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| <references/><br />
|-<br />
| [[User:Mcepl|Matěj Cepl]]<br />
| [[http://smolts.org/show?uuid=pub_a5248b95-4d3b-4e29-b01f-ab7b7a05c8a9+ HW]<br />
| <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<ref>https://bugzilla.redhat.com/show_bug.cgi?id=674977</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| <!-- no 2nd monitor available for this hw --><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| <references/><br />
|-<br />
| [[User:robatino|Andre Robatino]]<br />
| [http://www.smolts.org/client/show/pub_e6c78f7d-d38c-47df-8f06-47696b5c01b3 HW]<br />
| {{result|fail}}<ref>Have a GeForce 6150SE nForce 430. OS apparently thinks 3D acceleration is working, but display is totally corrupted, so it isn't. Had same problem with mesa-drivers-dri-experimental in F13 and F14, so must use proprietary nVidia driver.</ref><ref>{{bz|675010}}</ref><br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| <references/><br />
|-<br />
| [[User:ivancjimenez|Ivan Jimenez]]<br />
| [http://www.smolts.org/client/show/pub_7977f33a-d69c-4ac5-baec-c2e817e30b56 HW]<br />
| {{result|none}}<br />
| {{result|warn}}<ref>evo setup assistant does not fit in 1024x600 screen</ref><br />
| {{result|fail}}<ref>{{bz|674987}}</ref><br />
| {{result|fail}}<ref>{{bz|674856}}</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}}<ref>selecting flickr doesn't show anything</ref><br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<ref>webm seeking fails, OOM while testing ogg</ref><br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| <references/><br />
|<br />
|-<br />
| [[User:amrlima|Antonio Lima]]<br />
| [http://www.smolts.org/client/show/pub_a8005593-2541-4612-b1c1-c0f4f385d050 HW]<br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}} <br />
| {{result|pass}}<br />
| {{result|warn}} <ref>Test passed but there where corruptions when enabling only external monitor</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}} <ref>Did not test USB drive the only one avalailable was beeing used to boot fedora, but CD/DVD mount passed</ref><br />
| {{result|fail}} <ref>{{bz|674850}}</ref><br />
| <references/><br />
|-<br />
| Rui Principe<br />
| [http://www.smolts.org/client/show/pub_afe9c23f-ecaf-4fef-adf5-034c7782d8f4 HW]<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}} <ref>{{bz|674858}}</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}} <ref> Can’t type anything in the search box </ref><br />
| {{result|pass}} <br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| <references/><br />
|<br />
|-<br />
| [[User:galileo|Gerard Ryan]]<br />
| [http://www.smolts.org/client/show/pub_8f699c1d-80e4-4ce2-924e-f841c5385bc9 HW]<br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| <references/><br />
|-<br />
| [[User:reinouts|Reinout van Schouwen]]<br />
| [http://www.smolts.org/client/show/pub_1598bd36-7ad3-49c7-973f-e9e1e4af67b0 HW]<br />
| {{result|none}} <br />
| {{result|none}} <br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| <references/><br />
|-<br />
| [[User:vhumpa|Vitezslav Humpa]]<br />
| [http://www.smolts.org/client/show/pub_a64408ed-c828-4305-95f5-bfbae42dce11 HW]<br />
| {{result|none}} <br />
| {{result|pass}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<ref>No response on setting up the wallpaper directly from Firefox</ref><br />
| {{result|pass}}<br />
| {{result|warn}}<ref>All fine, except: turning off the laptop screen and setting DVI monitor as single screen makes both screens go black (with mouse, X restart works)</ref><br />
| {{result|warn}}<ref>{{bz|675386}}</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|fail}}<ref>"Other" is present in the top level of the (life CD) menu, with about 17 apps</ref><br />
| <references/><br />
|-<br />
| [[User:luya|Luya Tshimbalanga]]<br />
| [http://www.smolts.org/client/show/pub_14b91cdd-42cc-4b6d-9b42-1a2f6e2ff262 LG LT20]<br />
| {{result|pass}} <br />
| {{result|pass}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}}<ref>Switch to plain background cause loop on abrt-gui</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|warn}}<ref>Missing icons on menu for Etoys, gDesklets, Neomuk</ref><br />
| <references/><br />
|-<br />
| Erik Sands (soundfreely)<br />
| [http://www.smolts.org/client/show/pub_196d8023-b34b-4d3f-b92e-6e8246f752e5 HW]<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}} <br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| <references/><br />
|-<br />
| [[User:timlau|Tim Lauridsen]]<br />
| [http://www.smolts.org/client/show/pub_6017a501-97e0-4507-8d55-3bd847be805c HW]<br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|none}} <br />
| {{result|pass}}<br />
| <references/><br />
|-<br />
| Miguel Zúñiga González (miguel~1.mx)<br />
| [http://www.smolts.org/client/show/pub_aa86b362-8f75-47c3-b630-4b252e3b231a HW]<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<ref>1. /sbin/chkconfig sends an alert to SELinux if asked to update clock from network.</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<ref>2. Vino server does not see or get connections.</ref><br />
| {{result|pass}}<ref>3. even mounted my BeOS partition, but not my FreeBSD's.</ref><br />
| {{result|pass}}<ref>4. bugzilla #674850 --Upgrade your system-- does not close.</ref><br />
| <references/><br />
|-<br />
| [[User:bookwar]]<br />
| [http://www.smolts.org/client/show/pub_186d54f7-68bb-444f-834f-3fcd8032c953 HW]<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}} <ref>shortcuts with "unknown action" in the menu [https://bugzilla.gnome.org/show_bug.cgi?id=641426 GBZ 641426] </ref><br />
| {{result|pass}} <ref>worked with updated control-center</ref><br />
| {{result|pass}} <ref>tested on wireless network password</ref><br />
| {{result|pass}} <ref>limited number of applications</ref><br />
| {{result|pass}} <ref>Left/Right keys don't work[https://bugzilla.gnome.org/show_bug.cgi?id=641402 GBZ 641402]</ref><br />
| {{result|pass}} <br />
| {{result|pass}} <br />
| {{result|pass}} <ref>tested Display settings for one monitor only: brightness issue [https://bugzilla.gnome.org/show_bug.cgi?id=641431 GBZ 641431] {{bz|675049}}</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}} <ref>"Right arrow" button stops the playback [https://bugzilla.gnome.org/show_bug.cgi?id=641433 GBZ 641433]</ref><br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|pass}} <ref>look of the gnome-panel [https://bugzilla.gnome.org/show_bug.cgi?id=641425 GBZ 641425]; keyboard interface [https://bugzilla.gnome.org/show_bug.cgi?id=641402 GBZ 641402]; tooltips for applications [https://bugzilla.gnome.org/show_bug.cgi?id=627781 GBZ 627781]gnome-applications ignore layout switching [https://bugzilla.gnome.org/show_bug.cgi?id=641367 GBZ 641367]</ref><br />
| <references/><br />
|-<br />
|[[User:Djuran]]<br />
| [http://www.smolts.org/client/show/pub_186d54f7-68bb-444f-834f-3fcd8032c953 HW]<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}} <br />
| {{result|none}}<br />
| {{result|none}} <br />
| {{result|none}} <br />
| {{result|none}} <br />
| {{result|none}} <br />
| {{result|fail}} <ref>gnome-control-center crashes when running the xrandr gui [https://bugzilla.redhat.com/show_bug.cgi?id=675187 RHBZ675187 ] {{bz|675187}}</ref> <ref> Monitor only announces 1024x768 mode after re-connecting [https://bugzilla.redhat.com/show_bug.cgi?id=675212 RHBZ675212]</ref><br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}} <br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}} <br />
| <references/><br />
|-<br />
| [[User:Shnurapet|Misha Shnurapet]]<br />
| [http://www.smolts.org/client/show/pub_0df2ef3b-894b-4de6-87c9-12f42deb9ed8 HW]<br />
| {{result|none}} <ref> RHBZ #[[rhbug:675018|675018]]</ref><ref>RHBZ #[[rhbug:675237|675237]]</ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}} <ref>The desktop's date and time configuration tool has no effect at all. The other two methods of date and time adjustment *do* work but no effect on the panel.</ref><br />
| {{result|pass}}<br />
| {{result|pass}} <br />
| {{result|pass}} <br />
| {{result|pass}} <br />
| {{result|pass}} <br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}} <ref>[http://people.opera.com/shwetankd/webm/sunflower.webm This video] hangs if seeked after half of it has played. Playing [http://www.assembla.com/code/cristianadam/subversion/node/live/25/webpages/sintel/sintel-360p.webm that one], Totem does not allow seeking at all (the grip moves while playing but not interactive). Multimedia Stop button does not stop but pauses videos.</ref><br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|none}} <br />
| <references/> <br />
|-<br />
| [[User:mzdunek|Marek Zdunek]]<br />
| [http://www.smolts.org/client/show/pub_76a1d0b1-2029-4130-b6e7-d742ada176e7 HW]<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<ref>{{bz|674858}}</ref><br />
| {{result|inprogress}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<ref>[[gnomebug:641458]]</ref><ref>{{bz|674986}}</ref><br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| <references/><br />
|-<br />
| [[User:jraber]]<br />
| [http://www.smolts.org/client/show/pub_9ec153ee-35c7-4ac0-9b18-14cc255ed926 HW]<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| {{result|inprogress}}<br />
| <references/><br />
|-<br />
| [[User:Dramsey|David Ramsey]]<br />
| Add 32-bit Smolt Profile HW URL <ref>Dell Precision eight core with i686 support</ref><br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}} <br />
| {{result|pass}} <br />
| <references/><br />
|-<br />
| [[User:Dramsey|David Ramsey]]<br />
| Add 64-bit Smolt Profile HW URL <ref>Dell Precision eight core with x86_64 support</ref><br />
| {{result|none}} <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|fail}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|none}}<br />
| {{result|pass}} <br />
| {{result|pass}} <br />
| <references/><br />
|-<br />
| [[User:Watzkej|John Watzke]]<br />
| [http://www.smolts.org/client/show/pub_5f42fa25-30ce-48f7-b5b5-c158b2e821a7 Lenovo S12]<br />
| {{result|pass}} <ref>Small issue is that Gnome falls back but the theme is still Gnome shell so it makes the panel bars hard to view.</ref><br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}} <br />
| {{result|none}} <br />
| <references/><br />
|-<br />
| [[User:giallu|Gianluca Sforna]]<br />
| [http://www.smolts.org/client/show/pub_73968c7c-79f7-4fee-b0f0-c946cf214f7e Sony VGN-BZ31VT]<br />
| {{result|pass}} <ref>This should be a supported chipset, not sure why the Shell is not starting. Besides fallback mode [http://giallu.fedorapeople.org/Fallback.png looks weird].</ref><br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}} <br />
| {{result|none}} <br />
| <references/><br />
|-<br />
| [[User:dbdb|Dennis]]<br />
| [http://www.smolts.org/client/show/pub_69f10ff1-4052-4c36-bf25-2d5f28c7b1e3 HW]<br />
| {{result|pass}} <ref>NVidia GeForce 8500 GT (G86)</ref><br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}}<br />
| {{result|none}} <br />
| {{result|none}} <br />
| <references/><br />
|-<br />
| [[User:domg472|Dominick Grift]]<br />
| [http://www.smolts.org/client/show/pub_77979177-e307-4053-be88-e986b70c7bdc HW]<br />
| {{result|none}}<br />
| {{result|pass}} <ref> Did not offer changing the preferred applications. </ref><br />
| {{result|pass}} <br />
| {{result|warn}} <ref> Seems that enabling ntpd does not work properly. Had to manually "systemctl enable ntpd.service". </ref><br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}} <ref> Tried SD card but it could not find its partition name. </ref> <br />
| {{result|pass}}<br />
| {{result|pass}}<br />
| {{result|warn}} <ref> Could not get display mirroring to work. </ref><br />
| {{result|pass}} <ref> Downloaded a PDF to ~/Downloads and search was not able to find it. </ref><br />
| {{result|pass}} <br />
| {{result|pass}} <ref> Only worked for 1920x1080 other sizes produced grex box with x. </ref><br />
| {{result|warn}} <ref> Webm fwd / reverse does not work properly. Stops video, no way to resume. </ref><br />
| {{result|pass}} <ref> Only tested locally. </ref><br />
| {{result|pass}} <ref> Only tested SD card. </ref><br />
| {{result|pass}} <ref> Some applications crash. </ref><br />
| <references/><br />
|-<br />
! User<br />
! Smolt Profile<br />
! [[QA:Testcase_gnome3_fallback|Fallback]]<br />
! [[QA:Testcase_desktop_uri|URIs]]<br />
! [[QA:Testcase_desktop_common_shortcuts|Shortcuts]]<br />
! [[QA:Testcase_desktop_date|Date]]<br />
! [[QA:Testcase_desktop_keyring|Keyring]]<br />
! [[QA:Testcase_gnome-shell_dash|Dash]]<br />
! [[QA:Testcase_gnome-shell_overview_search|Search]]<br />
! [[QA:Testcase_gnome_desktop_background|Background]]<br />
! [[QA:Testcase_generic_video_glx|GL]]<br />
! [[QA:Testcase_generic_video_multihead|Multihead]]<br />
! [[QA:Testcase_evince_file_display|Evince]]<br />
! [[QA:Testcase_firefox_browse|Browse]]<br />
! [[QA:Testcase_firefox_media|Web media]]<br />
! [[QA:Testcase_totem_basic|Totem]]<br />
! [[QA:Testcase_vino_vinagre_connect|VNC]]<br />
! [[QA:Testcase_desktop_automount|Mount]]<br />
! [[QA:Testcase_desktop_menus|Menus]]<br />
! References<br />
|}<br />
<br />
[[Category:Fedora 15 Test Days]]</div>Domg472https://fedoraproject.org/w/index.php?title=SELinux&diff=106806SELinux2009-06-08T22:25:58Z<p>Domg472: </p>
<hr />
<div>= Fedora SELinux Project Pages =<br />
<br />
* [[SELinux/Understanding| Understanding SELinux]] <br />
* [[SELinux/Policies| Discussion of Policies]] <br />
* [[SELinux/Troubleshooting| Troubleshooting SELinux]] <br />
* [[SELinux/MCS| Multi Category Security/MCS]] <br />
* [[SELinux/MLS| Multi Level Security/MLS]] <br />
* [[SELinux/LoadableModules| Loadable Modules]] <br />
* [[SELinux/PolicyGenTools| Policy Generation Tools]] <br />
* [[SELinux/setroubleshoot| Troubleshoot Tool]] <br />
<br />
== Topics ==<br />
<br />
* [[SELinux/FC5Features| New SELinux features in FC5]] <br />
* [[SELinux/Commands| SELinux Commands]] <br />
* [[SELinux/Domains| Confined Domains]] <br />
<br />
== Documentation ==<br />
<br />
* [[SELinux/FAQ| FAQs]] <br />
* [http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/ Fedora 10 - Security-Enhanced Linux User Guide]<br />
* [http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/index.html Red Hat Enterprise Linux 4 - SELinux Guide] <br />
* http://www.redhat.com/magazine/001nov04/features/selinux/<br />
* http://www.redhat.com/magazine/006apr05/features/selinux/<br />
* http://www.redhatmagazine.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/<br />
* http://www.redhat.com/v/swf/SELinux/ - DanielWalsh (Red Hat SELinux developer)'s Flash presentation.<br />
* http://danwalsh.livejournal.com/ - DanielWalsh blog which has a continous discourse on understanding and using SELinux. Check other posts.<br />
* http://searchenterpriselinux.techtarget.com/columnItem/0,294698,sid39_gci1253747,00.html Five ways SELinux may surprise you<br />
* http://www.tresys.com/selinux<br />
* http://www.nsa.gov/research/selinux/<br />
* [[Selinux_grammar| Grammar for policy language]]<br />
<br />
If you want to work on formal documentation, you can use the [[Docs/Drafts/SELinux| Docs/Drafts/SELinux]] namespace. When you are done editing the draft, it can migrate to [[Docs/SELinux| Docs/SELinux]] . Doing this lends an air of formality and provides higher immutability and accountability in the wiki, as only the DocWritersGroup can edit the Docs/ namespace</div>Domg472https://fedoraproject.org/w/index.php?title=SELinux/Policies&diff=106800SELinux/Policies2009-06-08T21:58:22Z<p>Domg472: </p>
<hr />
<div>== Discussion of Policies ==<br />
<br />
SELinux is a very flexible architecture. You can pick and choose your policy, depending on your security needs.<br />
<br />
During the development of SELinux, we have published four different types of policy so far: targeted, strict, minimum and MLS. The original policy published at the NSA was the strict policy. Its goal was to lock down the entire operating system, controlling not only the daemons that live in system space, but controlling the user space as well. Strict policy has the most domains, and adds the largest burden on users.<br />
<br />
* Strict<br />
<br />
During the development of Fedora Core 2, we attempted to use strict policy as the default policy. We had multiple problems with this because strict policy was governing the way that users were running their systems. We had to cover all possible ways that a user would be able to setup their system. As you can imagine we had a ton of problems and bug reports. Most people when confronted with SELinux at that time, just wanted it turned off.<br />
<br />
Strict policy works best where you have a controlled userspace. For example, you can setup a security policy where your users are only allowed to use the Web browser to view files on the Internet and only allowed to download to certain directories. You could limit what applications the Web browser can launch to ''helper'' applications.<br />
<br />
* Targeted<br />
<br />
After our experiences with the strict policy, we went back and reflected on what our goals were. We wanted a system where the user was protected from System applications that were listening on the network.<br />
<br />
These applications were the doors and windows where the hackers would enter the system. So we decided to ''target'' certain domains and lock them down, while continuing to leave userspace to run in an unconfined nature. Targeted policy was born. In Fedora Core 3 we targeted about 10 domains for lock down and came up with a new domain called <code>unconfined_t</code>.<br />
<br />
Processes within the domain of <code>unconfined_t</code> would have the same access to the system as if SELinux was not enabled. We shipped this policy and this was the basis for Red Hat Enterprise Linux 4. In Fedora Core 4 and beyond we have continued to add new targets to the point where most of system space has been locked down, but userspace is still running in the <code>unconfined_t</code> domain.<br />
<br />
In Fedora Core 5 we have begun experimenting with locking down some of <code>unconfined_t</code> by eliminating the <code>execmem</code>, <code>execheap</code>, <code>execstack</code>, and <code>execmod</code> privs whereever possible.<br />
<br />
* [http://james-morris.livejournal.com/5020.html MLS] <br />
<br />
During the development of Fedora Core 5/Red Hat Enterprise Linux 5, we have developed a new policy, for servers only.<br />
<br />
The goal of this policy is to allow a Linux operating system to get [http://www.google.com/search?q=Type%20EAL4%20LSPP%20MLS EAL4+/LSPP ] certification. It is the first operating system to combine the [http://www.google.com/search?q=bell%20lapadula Bell And LaPadula] model and [http://www.google.com/search?q=Type%20Enforcement%20SELinux Type Enforcement] . In developing this policy, we have turned on the fourth field of the security context, the security or sensitivity level. This allows us to start the handling of ''labeled files''.<br />
<br />
The policy contains rules that not only govern what security types are able to do, but also what they can do when running at a particular security level. In MLS there are two componants of the Security Level, the sensitivity level, which can go from s0-s15, and the capabilities, which can go from c0 - c255. We also added [http://james-morris.livejournal.com/2005/09/16/ MCS] policy to targeted and strict, which confines the sensitivity level to s0 but allows us to work with user defined capapabilites. This allows us to use several new features in the OS and test them out without putting the burden of MLS on all users.<br />
<br />
* [http://danwalsh.livejournal.com/26759.html Minimum]<br />
<br />
The ovirt team was looking for a minimal policy to run on low memory machines platforms, that only confines virtual machines. ovirt does not run any of the services confined by targeted policy so they did not want to overhead of having those policies on the machine. Similarly people are experimenting with using SELinux on "devices" like smart phones. What policy do we have for them?<br />
<br />
In Fedora 10 we introduced selinux-policy-minimum. Minimum policy is built exactly the same as targeted policy, but installs ONLY the base policy package and the unconfined.pp. All of the SELinux policy modules from the targeted policy are in the selinux-policy-minimum RPM package but they are not compiled and loaded into the kernel in the post install.<br />
<br />
Pretty much everything on this system runs as initrc_t or unconfined_t so all of the domains are unconfined.</div>Domg472https://fedoraproject.org/w/index.php?title=SELinux/Policies&diff=106798SELinux/Policies2009-06-08T21:56:16Z<p>Domg472: </p>
<hr />
<div>== Discussion of Policies ==<br />
<br />
SELinux is a very flexible architecture. You can pick and choose your policy, depending on your security needs.<br />
<br />
During the development of SELinux, we have published three different types of policy so far: targeted, strict, and MLS. The original policy published at the NSA was the strict policy. Its goal was to lock down the entire operating system, controlling not only the daemons that live in system space, but controlling the user space as well. Strict policy has the most domains, and adds the largest burden on users.<br />
<br />
* Strict<br />
<br />
During the development of Fedora Core 2, we attempted to use strict policy as the default policy. We had multiple problems with this because strict policy was governing the way that users were running their systems. We had to cover all possible ways that a user would be able to setup their system. As you can imagine we had a ton of problems and bug reports. Most people when confronted with SELinux at that time, just wanted it turned off.<br />
<br />
Strict policy works best where you have a controlled userspace. For example, you can setup a security policy where your users are only allowed to use the Web browser to view files on the Internet and only allowed to download to certain directories. You could limit what applications the Web browser can launch to ''helper'' applications.<br />
<br />
* Targeted<br />
<br />
After our experiences with the strict policy, we went back and reflected on what our goals were. We wanted a system where the user was protected from System applications that were listening on the network.<br />
<br />
These applications were the doors and windows where the hackers would enter the system. So we decided to ''target'' certain domains and lock them down, while continuing to leave userspace to run in an unconfined nature. Targeted policy was born. In Fedora Core 3 we targeted about 10 domains for lock down and came up with a new domain called <code>unconfined_t</code>.<br />
<br />
Processes within the domain of <code>unconfined_t</code> would have the same access to the system as if SELinux was not enabled. We shipped this policy and this was the basis for Red Hat Enterprise Linux 4. In Fedora Core 4 and beyond we have continued to add new targets to the point where most of system space has been locked down, but userspace is still running in the <code>unconfined_t</code> domain.<br />
<br />
In Fedora Core 5 we have begun experimenting with locking down some of <code>unconfined_t</code> by eliminating the <code>execmem</code>, <code>execheap</code>, <code>execstack</code>, and <code>execmod</code> privs whereever possible.<br />
<br />
* [http://james-morris.livejournal.com/5020.html MLS] <br />
<br />
During the development of Fedora Core 5/Red Hat Enterprise Linux 5, we have developed a new policy, for servers only.<br />
<br />
The goal of this policy is to allow a Linux operating system to get [http://www.google.com/search?q=Type%20EAL4%20LSPP%20MLS EAL4+/LSPP ] certification. It is the first operating system to combine the [http://www.google.com/search?q=bell%20lapadula Bell And LaPadula] model and [http://www.google.com/search?q=Type%20Enforcement%20SELinux Type Enforcement] . In developing this policy, we have turned on the fourth field of the security context, the security or sensitivity level. This allows us to start the handling of ''labeled files''.<br />
<br />
The policy contains rules that not only govern what security types are able to do, but also what they can do when running at a particular security level. In MLS there are two componants of the Security Level, the sensitivity level, which can go from s0-s15, and the capabilities, which can go from c0 - c255. We also added [http://james-morris.livejournal.com/2005/09/16/ MCS] policy to targeted and strict, which confines the sensitivity level to s0 but allows us to work with user defined capapabilites. This allows us to use several new features in the OS and test them out without putting the burden of MLS on all users.<br />
<br />
* [http://danwalsh.livejournal.com/26759.html Minimum]<br />
<br />
The ovirt team was looking for a minimal policy to run on low memory machines platforms, that only confines virtual machines. ovirt does not run any of the services confined by targeted policy so they did not want to overhead of having those policies on the machine. Similarly people are experimenting with using SELinux on "devices" like smart phones. What policy do we have for them?<br />
<br />
In Fedora 10 we introduced selinux-policy-minimum. Minimum policy is built exactly the same as targeted policy, but installs ONLY the base policy package and the unconfined.pp. All of the SELinux policy modules from the targeted policy are in the selinux-policy-minimum RPM package but they are not compiled and loaded into the kernel in the post install.<br />
<br />
Pretty much everything on this system runs as initrc_t or unconfined_t so all of the domains are unconfined.</div>Domg472https://fedoraproject.org/w/index.php?title=SELinux&diff=106792SELinux2009-06-08T20:15:40Z<p>Domg472: </p>
<hr />
<div>= Fedora SELinux Project Pages =<br />
<br />
* [[SELinux/Understanding| Understanding SELinux]] <br />
* [[SELinux/Policies| Discussion of Policies]] <br />
* [[SELinux/Troubleshooting| Troubleshooting SELinux]] <br />
* [[SELinux/MCS| Multi Category Security/MCS]] <br />
* [[SELinux/MLS| Multi Level Security/MLS]] <br />
* [[SELinux/LoadableModules| Loadable Modules]] <br />
* [[SELinux/PolicyGenTools| Policy Generation Tools]] <br />
* [[SELinux/setroubleshoot| Troubleshoot Tool]] <br />
<br />
== Topics ==<br />
<br />
* [[SELinux/FC5Features| New SELinux features in FC5]] <br />
* [[SELinux/Commands| SELinux Commands]] <br />
* [[SELinux/Domains| Confined Domains]] <br />
<br />
== Documentation ==<br />
<br />
* [[SELinux/FAQ| FAQs]] <br />
* [http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/ Fedora 10 - Security-Enhanced Linux User Guide]<br />
* [http://www.redhat.com/docs/manuals/enterprise/RHEL-4-Manual/selinux-guide/index.html Red Hat Enterprise Linux 4 - SELinux Guide] <br />
* http://www.redhat.com/magazine/001nov04/features/selinux/<br />
* http://www.redhat.com/magazine/006apr05/features/selinux/<br />
* http://www.redhatmagazine.com/2007/05/04/whats-new-in-selinux-for-red-hat-enterprise-linux-5/<br />
* http://www.redhat.com/v/swf/SELinux/ - DanielWalsh (Red Hat SELinux developer)'s Flash presentation.<br />
* http://danwalsh.livejournal.com/ - DanielWalsh blog which has a continous discourse on understanding and using SELinux. Check other posts.<br />
* http://searchenterpriselinux.techtarget.com/columnItem/0,294698,sid39_gci1253747,00.html Five ways SELinux may surprise you<br />
* http://www.tresys.com/selinux<br />
* http://www.nsa.gov/selinux/<br />
* [[Selinux_grammar| Grammar for policy language]]<br />
<br />
If you want to work on formal documentation, you can use the [[Docs/Drafts/SELinux| Docs/Drafts/SELinux]] namespace. When you are done editing the draft, it can migrate to [[Docs/SELinux| Docs/SELinux]] . Doing this lends an air of formality and provides higher immutability and accountability in the wiki, as only the DocWritersGroup can edit the Docs/ namespace</div>Domg472https://fedoraproject.org/w/index.php?title=SELinux_FAQ&diff=106790SELinux FAQ2009-06-08T20:08:42Z<p>Domg472: </p>
<hr />
<div>= Frequently Asked Questions =<br />
<br />
{{Admon/note | The current draft is the wiki is work in progress. Do not rely on it currently. Older versions of the FAQ is available in the references section .}}<br />
<br />
== What is SELinux? ==<br />
<br />
SE(Security Enhanced) Linux is a security feature in the Linux kernel and enabled by default in Fedora that provides more fine grained access control compared to traditional file permissions. A centralized policy determines which software can access what resources. For example, network services can be confined to a particular port and Apache web server can be restricted to be able to connect to only 80 by default. <br />
<br />
== Where can I go to provide feedback or ask for help? ==<br />
<br />
You can provide feedback via http://bugzilla.redhat.com for bugs and issues and ask for help and clarify doubts in fedora-selinux mailing list at http://www.redhat.com/mailman/listinfo/fedora-selinux-list<br />
<br />
== Who developed SELinux? ==<br />
<br />
NSA (National Security Agency) developed SELinux initially. It has partnered with Red Hat to continue development and carry out integration of SELinux into Fedora and Red Hat Enterprise Linux. It is not specific to Red Hat however and other Linux distributions and other operating systems have adopted SELinux and similar frameworks.<br />
<br />
== Is it a firewall? ==<br />
<br />
Though often confused with one, SELinux is not a firewall. A firewall controls the flow of traffic to and from a computer to the network. SELinux can confine access of programs within a computer and hence can be conceptually thought of a internal firewall between programs. Security works best when multiple layers are used and SELinux is complimentary to a firewall and other security features used in Fedora. <br />
<br />
== Is it useful on a desktop? ==<br />
<br />
Yes. SELinux policies in Fedora were initially focused on network facing services. However several dozens of desktop software including Firefox, HAL, D-Bus etc are protected by default using SELinux policies in current releases of Fedora. <br />
<br />
== How do I find out if SELinux is enabled on my system? ==<br />
<br />
Run the sestatus command to find out the current status of SELinux. SELinux can be in three different modes<br />
<br />
* Enabled: SELinux is enabled and SELinux policy is enforced<br />
* Disabled: SELinux is disabled and has no effect on your system<br />
* Permissive: SELinux is enabled but but merely logs warnings instead of enforcing access. This mode is useful for troubleshooting. <br />
<br />
== How do I find out whether SELinux is denying access for any software? ==<br />
<br />
When SELinux prevents any software from accessing a particular resource, for example when Firefox is denied access to /etc/shadow, it generates a message and logs it in /var/log/audit/audit.log or /var/log/messages if audit service is disabled. If the log contains "avc:denied" that means it is a SELinux policy denial. Note that you would need administrator privileges (root access) on your system to be able to read this log file. An example denial would look like<br />
<br />
<pre><br />
<br />
type=AVC msg=audit(1214965667.121:635): avc: denied { unix_read unix_write } for pid=15524 comm="npviewer.bin" <br />
key=59918130 scontext=unconfined_u:unconfined_r:nsplugin_t:s0-s0:c0.c1023 <br />
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s<br />
<br />
</pre><br />
<br />
== How do I understand SELinux denials? ==<br />
<br />
[https://fedorahosted.org/setroubleshoot setroubleshoot] is a utility that parses the messages from SELinux and provides comprehensive help on what it means and possible actions to take. It has both a graphical utility for your desktop and a server side component that can send email alerts. It is installed by default on Fedora. If you wish to install it on your system, use Add/Remove programs or run the following command as root user. <br />
<br />
<pre><br />
yum install setroubleshoot<br />
</pre><br />
<br />
== How do I enable or disable SELinux ? ==<br />
<br />
SELinux is enabled by default in Fedora. SELinux policy has booleans that can be used to disable SELinux for specific services or you can disable SELinux entirely. If you want to disable SELinux entirely, you can use system-config-selinux (part of policycoreutils-gui package) to do this graphically or set the value of SELINUX in /etc/selinux/config to disabled. However it is highly recommended that you set it to permissive instead since it will show you the denials and setting it to permissive does not requiring relabeling the entire system when you enable it again. You can pass selinux=0 in the installation boot prompt to disable SELinux during installation or refer to [http://fedoraproject.org/wiki/Anaconda/Kickstart kickstart] documentation for automated installations. <br />
<br />
== How does SELinux work? ==<br />
<br />
<br />
== What are SELinux booleans ? ==<br />
<br />
SELinux booleans enable runtime customization of the SELinux policy. SELinux policy in Fedora has several booleans that allow you to quickly toggle a particular change in the policy. For example, httpd_enable_cgi allows the httpd (Apache) web server to run cgi scripts if it is enabled. system-config-selinux offers a graphical utility to manage SELinux booleans. You can get a comprehensive list of SELinux booleans in the current policy using the getsebool -a command. You can also change the value of a boolean at runtime using the setsebool or togglesebool command. Inorder for the change in booleans to be permanent instead of for just the current session, you need to pass -P paramater while setting the value of a boolean, for example, running the following command as root user will disable the ability for httpd web server to run cgi scripts. <br />
<br />
<pre><br />
<br />
sesebool -P httpd_enable_cgi=0<br />
<br />
</pre> <br />
<br />
<br />
== What is SELinux policy ? ==<br />
<br />
<br />
== What is mandatory access control ? ==<br />
<br />
SELinux (Security-Enhanced Linux) in Fedora is an implementation of mandatory access control in the Linux kernel using the Linux Security Modules (LSM) framework. Discretionary access control (DAC) is standard Linux security, and it provides no protection from broken software or malware running as a normal user or root. Users can grant risky levels of access to files they own. Mandatory access control (MAC) provides full control over all interactions of software. Administratively defined policy closely controls user and process interactions with the system, and can provide protection from broken software or malware running as any user. <br />
<br />
In a DAC model, file and resource decisions are based solely on user identity and ownership of the objects. Each user and program run by that user has complete discretion over the user's objects. Malicious or flawed software can do anything with the files and resources it controls through the user that started the process. If the user is the super-user or the application is setuid or setgid to root, the process can have root level control over the entire file system.<br />
<br />
A MAC system does not suffer from these problems. First, you can administratively define a security policy over all processes and objects. Second, you control all processes and objects, in the case of SELinux through the kernel. Third, decisions are based on all the security relevant information available, and not just authenticated user identity.<br />
<br />
MAC under SELinux allows you to provide granular permissions for all subjects (users, programs, processes) and objects (files, devices). In practice, think of subjects as processes, and objects as the target of a process operation. You can safely grant a process only the permissions it needs to perform its function, and no more.<br />
<br />
The SELinux implementation uses role-based access control (RBAC), which provides abstracted user-level control based on roles, and Type Enforcement® (TE). TE uses a table, or matrix to handle access controls, enforcing policy rules based on the types of processes and objects. Process types are called domains, and a cross-reference on the matrix of the process's domain and the object's type defines their interaction. This system provides extremely granular control for actors in a Linux system. <br />
<br />
== How can I back up files from an SELinux file system? ==<br />
<br />
Use the star utility, which supports the extended attributes that store the security context labels. Specify the -xattr and -H=exustar options when creating archives.<br />
<br />
<pre><br />
<br />
ls -Z /var/log/maillog<br />
-rw------- root root system_u:object_r:var_log_t /var/log/maillog<br />
cd /var/log<br />
star -xattr -H=exustar -c -f maillog.star ./maillog*<br />
<br />
</pre><br />
<br />
{{Template:Warning}} Absolute paths can overwrite existing data<br />
<br />
If you use an absolute path, such as /var/log/maillog, when you unpack the archive with star -c -f, the files are restored on the same path they were archived with. The maillog file attempts to write to /var/log/maillog. You should received a warning from star if the files about to be overwritten have a later date, but you cannot rely on this behavior.<br />
<br />
Consider carefully how you construct your archiving argument. <br />
<br />
== What is the performance impact of SELinux? ==<br />
<br />
This is a variable that is hard to measure, and is heavily dependent on the tuning and usage of the system running SELinux. For desktop usage, there should be no measurable impact. If you are interested in doing more precise benchmarks, post to fedora-selinux list. <br />
<br />
== Which Linux distributions have adopted SELinux? ==<br />
<br />
Fedora and Fedora derived distributions such as Red Hat Enterprise Linux have been leading the effort. However several other Linux distirbutions such as Debian, Gentoo, Ubuntu etc have adopted SELinux too. A comprehensive list is available at http://selinux.sf.net<br />
<br />
== What about other operating systems? ==<br />
<br />
SELinux is based on the flask security model which has been adopted by other operating systems such as FreeBSD and OpenSolaris<br />
<br />
* http://www.trustedbsd.org/sebsd.html<br />
* http://www.sedarwin.org/<br />
* http://www.opensolaris.org/os/project/fmac/<br />
<br />
== Where can I find more information? ==<br />
<br />
*http://fedoraproject.org/wiki/SELinux has links to more documentation and other references. <br />
<br />
== Previous FAQs ==<br />
<br />
* [http://docs.fedoraproject.org/selinux-faq-fc5 Fedora Core 5 FAQ ] <br />
* [http://docs.fedoraproject.org/selinux-faq Previous Versions FAQs ] <br />
* [http://docs.fedoraproject.org/selinux-apache-fc3/ Understanding and Customizing the Apache HTTP SELinux Policy ] <br />
* [[SELinux/FAQ/ProposedAdditions| Proposed additions to the FAQ ]]<br />
<br />
<br />
[[Category:FAQ]]<br />
[[Category:Draft Documentation]]</div>Domg472