Docs/Drafts/SELinux User Guide/Previous TOC Ideas

From FedoraProject

Jump to: navigation, search

What the Documentation Covers (in no particular order, and subject to change)

From the current SELinux documentation todo list:

  • "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
  • Document Confined Users".
  • "Update FC5 FAQ".
  • "Document the use of the mount command for overriding file context".
  • "Describe Audit2allow and how it can just Fix the machine".
  • "Update and organize the Fedora SELinux FAQ".

Previous TOC Ideas

  • Basic access control concepts.
  • SELinux concepts:
    • Domains and Types.
    • Contexts.
    • Targets/Processes/Files.
  • How do I find out if SELinux is enabled on my system?
  • Confined and unconfined processes (ps auxZ).
  • Main files: /selinux/ and /etc/selinux/config.
  • How to correctly disable SELinux (not sure if we want this ;) )
  • Maintaining correct labels:
    • View labels using ls -Z
    • Copying Vs moving files.
    • Using user_home_t files on other machines, such as a user moving their ~/.ssh/authorized_keys file to another machine.
    • Relabeling an entire file system.
    • Possible problems caused from running in permissive mode, such as having permissions to mislabel files.
    • mislabeled files, relabeled but still problems, touch /.autorelabel (Dans journal).
  • Red Hat Enterprise Linux 5 Deployment Guide: End User Control of SELinux.
  • SELinux and virtualization (relabeling images if images are not in /etc/xen/).
  • Logging:
    • Are SELinux denials taking up too much space? This came from #selinux.
    • Amount of denials in permissive mode Vs enforcing mode.
    • Searching for specific denials (from #selinux, "/sbin/ausearch -m avc -ts today | grep search | head -n 1", "sealert -l \*").
    • Where are the log files kept? (/var/log/audit/audit.d, /var/log/messages, etc. Basic explanation of which one will be used).
  • Basic interpretation of SELinux denials, and where to get help, (maybe mail <fedora-selinux-list@redhat.com>). From #selinux:
(06:19:50 PM) hatty: Hi , I get this in my log audit(1216043069.444:37): avc:  
denied  { search } for  pid=726 comm="busybox" name="" , what is the meaning of name="" ?

"(08:58:22 PM) domg472: anyways hatty consider this: target objects can be any objects, 
object arent just file object but there also other kimds of object that may not carry a 
name for example ports interfaces or the ojects of subject ( process objects )"

Commands:

getsebool -a
setsebool -P
sestatus -v
restorecon
fixfiles
newrole