Fedora

Docs/Drafts/SELinux User Guide/Previous TOC Ideas

From FedoraProject

What the Documentation Covers (in no particular order, and subject to change)

• Draft table of contents.

From the current SELinux documentation todo list:

• "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
• Document Confined Users".
• "Update FC5 FAQ".
• "Document the use of the mount command for overriding file context".
• "Describe Audit2allow and how it can just Fix the machine".
• "Update and organize the Fedora SELinux FAQ".

---

Previous TOC Ideas

• Basic access control concepts.
• SELinux concepts:
  • Domains and Types.
  • Contexts.
  • Targets/Processes/Files.
• How do I find out if SELinux is enabled on my system?
• Confined and unconfined processes (ps auxZ).
• Main files: /selinux/ and /etc/selinux/config.
• How to correctly disable SELinux (not sure if we want this ;) )
• Maintaining correct labels:
  • View labels using ls -Z
  • Copying Vs moving files.
  • Using user_home_t files on other machines, such as a user moving their ~/.ssh/authorized_keys file to another machine.
  • Relabeling an entire file system.
  • Possible problems caused from running in permissive mode, such as having permissions to mislabel files.
  • mislabeled files, relabeled but still problems, touch /.autorelabel (Dans journal).
• Red Hat Enterprise Linux 5 Deployment Guide: End User Control of SELinux.
• SELinux and virtualization (relabeling images if images are not in /etc/xen/).
• Logging:
  • Are SELinux denials taking up too much space? This came from #selinux.
  • Amount of denials in permissive mode Vs enforcing mode.
  • Searching for specific denials (from #selinux, "/sbin/ausearch -m avc -ts today | grep search | head -n 1", "sealert -l \*").
  • Where are the log files kept? (/var/log/audit/audit.d, /var/log/messages, etc. Basic explanation of which one will be used).
• Basic interpretation of SELinux denials, and where to get help, (maybe mail <fedora-selinux-list@redhat.com>). From #selinux:

(06:19:50 PM) hatty: Hi , I get this in my log audit(1216043069.444:37): avc:  
denied  { search } for  pid=726 comm="busybox" name="" , what is the meaning of name="" ?

"(08:58:22 PM) domg472: anyways hatty consider this: target objects can be any objects, 
object arent just file object but there also other kimds of object that may not carry a 
name for example ports interfaces or the ojects of subject ( process objects )"

• Controlling system daemons with booleans:
  • getsebool -a, setsebool -P; how to find information about booleans listed from getsebool.
  • Common items people want to change.
• Installing and upgrading SELinux packages.
  • Upgrade problems if you start from a non-SELinux labeled file system?
  • Missing SELinux users (semanage user -l)
• Not running X : setroubleshoot-server, run sealert -l \*, <https://www.redhat.com/archives/fedora-selinux-list/2008-July/msg00004.html>.
• Confining Users
  • <http://www.redhatmagazine.com/2008/07/02/writing-policy-for-confined-selinux-users/>.
  • <http://www.redhatmagazine.com/2008/04/17/fedora-9-and-summit-preview-confining-the-user-with-selinux>.
• Mounting:
  • Do mount points need to be mnt_t?

Commands:

getsebool -a
setsebool -P
sestatus -v
restorecon
fixfiles
newrole

Copyright © 2012 Red Hat, Inc. and others. All Rights Reserved. For comments or queries, please contact us.

The Fedora Project is maintained and driven by the community and sponsored by Red Hat. This is a community maintained site. Red Hat is not responsible for content.

• This page was last modified on 28 February 2009, at 00:46.
• Content is available under Attribution-Share Alike 3.0 Unported.

• Privacy policy
• About FedoraProject
• Disclaimers
• Sponsors
• Legal
• Trademark Guidelines