Docs/Drafts/SELinux User Guide/Previous TOC Ideas

What the Documentation Covers (in no particular order, and subject to change)

• Draft table of contents.

From the current SELinux documentation todo list:

• "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
• Document Confined Users".
• "Update FC5 FAQ".
• "Document the use of the mount command for overriding file context".
• "Describe Audit2allow and how it can just Fix the machine".
• "Update and organize the Fedora SELinux FAQ".

Previous TOC Ideas

• Basic access control concepts.
• SELinux concepts:
  • Domains and Types.
  • Contexts.
  • Targets/Processes/Files.
• How do I find out if SELinux is enabled on my system?
• Confined and unconfined processes (ps auxZ).
• Main files: /selinux/ and /etc/selinux/config.
• How to correctly disable SELinux (not sure if we want this ;) )
• Maintaining correct labels:
  • View labels using ls -Z
  • Copying Vs moving files.
  • Using user_home_t files on other machines, such as a user moving their ~/.ssh/authorized_keys file to another machine.
  • Relabeling an entire file system.
  • Possible problems caused from running in permissive mode, such as having permissions to mislabel files.
  • mislabeled files, relabeled but still problems, touch /.autorelabel (Dans journal).
• Red Hat Enterprise Linux 5 Deployment Guide: End User Control of SELinux.
• SELinux and virtualization (relabeling images if images are not in /etc/xen/).
• Logging:
  • Are SELinux denials taking up too much space? This came from #selinux.
  • Amount of denials in permissive mode Vs enforcing mode.
  • Searching for specific denials (from #selinux, "/sbin/ausearch -m avc -ts today | grep search | head -n 1", "sealert -l \*").
  • Where are the log files kept? (/var/log/audit/audit.d, /var/log/messages, etc. Basic explanation of which one will be used).
• Basic interpretation of SELinux denials, and where to get help, (maybe mail <fedora-selinux-list@redhat.com>). From #selinux:

(06:19:50 PM) hatty: Hi , I get this in my log audit(1216043069.444:37): avc:  
denied  { search } for  pid=726 comm="busybox" name="" , what is the meaning of name="" ?

"(08:58:22 PM) domg472: anyways hatty consider this: target objects can be any objects, 
object arent just file object but there also other kimds of object that may not carry a 
name for example ports interfaces or the ojects of subject ( process objects )"

• Controlling system daemons with booleans:
  • getsebool -a, setsebool -P; how to find information about booleans listed from getsebool.
  • Common items people want to change.
• Installing and upgrading SELinux packages.
  • Upgrade problems if you start from a non-SELinux labeled file system?
  • Missing SELinux users (semanage user -l)
• Not running X : setroubleshoot-server, run sealert -l \*, <https://www.redhat.com/archives/fedora-selinux-list/2008-July/msg00004.html>.
• Confining Users
  • <http://www.redhatmagazine.com/2008/07/02/writing-policy-for-confined-selinux-users/>.
  • <http://www.redhatmagazine.com/2008/04/17/fedora-9-and-summit-preview-confining-the-user-with-selinux>.
• Mounting:
  • Do mount points need to be mnt_t?

Commands:

getsebool -a
setsebool -P
sestatus -v
restorecon
fixfiles
newrole