From Fedora Project Wiki
(backing up initial toc ideas) |
m (add cat) |
||
Line 66: | Line 66: | ||
newrole | newrole | ||
</pre> | </pre> | ||
[[Category:SELinux docs]] |
Latest revision as of 00:46, 28 February 2009
What the Documentation Covers (in no particular order, and subject to change)
From the current SELinux documentation todo list:
- "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
- Document Confined Users".
- "Update FC5 FAQ".
- "Document the use of the mount command for overriding file context".
- "Describe Audit2allow and how it can just Fix the machine".
- "Update and organize the Fedora SELinux FAQ".
- Basic access control concepts.
- SELinux concepts:
- Domains and Types.
- Contexts.
- Targets/Processes/Files.
- How do I find out if SELinux is enabled on my system?
- Confined and unconfined processes (
ps auxZ
). - Main files:
/selinux/
and/etc/selinux/config
. - How to correctly disable SELinux (not sure if we want this ;) )
- Maintaining correct labels:
- View labels using
ls -Z
- Copying Vs moving files.
- Using user_home_t files on other machines, such as a user moving their
~/.ssh/authorized_keys
file to another machine. - Relabeling an entire file system.
- Possible problems caused from running in permissive mode, such as having permissions to mislabel files.
- mislabeled files, relabeled but still problems,
touch /.autorelabel
(Dans journal).
- View labels using
- Red Hat Enterprise Linux 5 Deployment Guide: End User Control of SELinux.
- SELinux and virtualization (relabeling images if images are not in
/etc/xen/
). - Logging:
- Are SELinux denials taking up too much space? This came from #selinux.
- Amount of denials in permissive mode Vs enforcing mode.
- Searching for specific denials (from #selinux,
"/sbin/ausearch -m avc -ts today | grep search | head -n 1", "sealert -l \*"
). - Where are the log files kept? (
/var/log/audit/audit.d
,/var/log/messages
, etc. Basic explanation of which one will be used).
- Basic interpretation of SELinux denials, and where to get help, (maybe mail <fedora-selinux-list@redhat.com>). From #selinux:
(06:19:50 PM) hatty: Hi , I get this in my log audit(1216043069.444:37): avc: denied { search } for pid=726 comm="busybox" name="" , what is the meaning of name="" ? "(08:58:22 PM) domg472: anyways hatty consider this: target objects can be any objects, object arent just file object but there also other kimds of object that may not carry a name for example ports interfaces or the ojects of subject ( process objects )"
- Controlling system daemons with booleans:
getsebool -a
,setsebool -P
; how to find information about booleans listed from getsebool.- Common items people want to change.
- Installing and upgrading SELinux packages.
- Upgrade problems if you start from a non-SELinux labeled file system?
- Missing SELinux users (
semanage user -l
)
- Not running X :
setroubleshoot-server
, runsealert -l \*
, <https://www.redhat.com/archives/fedora-selinux-list/2008-July/msg00004.html>. - Confining Users
- Mounting:
- Do mount points need to be
mnt_t
?
- Do mount points need to be
Commands:
getsebool -a setsebool -P sestatus -v restorecon fixfiles newrole