Author: kwade Update of /cvs/fedora/web/html/docs/selinux-faq-fc5 In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv1195 Modified Files: index.php Log Message: Resolves bz #188219. Index: index.php =================================================================== RCS file: /cvs/fedora/web/html/docs/selinux-faq-fc5/index.php,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- index.php 24 Mar 2006 19:30:00 -0000 1.2 +++ index.php 7 Apr 2006 13:58:36 -0000 1.3 @@ -25,7 +25,7 @@ <div><p class="copyright">Copyright © 2006 Chad Sellers, Paul W. Frields</p></div> <div><div class="legalnotice"> <a name="legalnotice"></a><p> - Copyright (c) 2006 by Red Hat, Inc. and others. This material may be + Copyright (c) 2006 by Fedora Foundation and others. This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0, available at <a href="http://www.opencontent.org/openpub/"; target="_top">http://www.opencontent.org/openpub/</a>. </p> @@ -38,7 +38,7 @@ <p> FEDORA, FEDORA PROJECT, and the Fedora Logo are trademarks of Red Hat, Inc., are registered or pending registration in the U.S. and other countries, and - are used here under license to the Fedora Project. + are used here under license to the Fedora Foundation. </p> <p> Red Hat and the Red Hat "Shadow Man" logo are registered trademarks of Red Hat, Inc. @@ -187,7 +187,7 @@ XML, which is available from CVS (refer to <a href="http://fedora.redhat.com/projects/docs/"; target="_top">http://fedora.redhat.com/projects/docs/</a> for details on obtaining the fedora-docs/selinux-faq module from anonymous CVS; you can get just the <code class="filename">fedora-docs/selinux-faq</code> module if you - don't want the entire <code class="filename">fedora-dcs</code> tree.) Otherwise, + don't want the entire <code class="filename">fedora-docs</code> tree.) Otherwise, plain text showing before and after is sufficient. </p> <p> @@ -200,11 +200,11 @@ <dt>1.1. <a href="#faq-div-understanding-selinux">Understanding SELinux</a> </dt> <dd><dl> -<dt>Q: <a href="#id2730692"> +<dt>Q: <a href="#id2562097"> What is SELinux? </a> </dt> -<dt>Q: <a href="#id2732137"> +<dt>Q: <a href="#id2563544"> What is SELinux policy? </a> </dt> @@ -212,15 +212,15 @@ What is the SELinux targeted policy? </a> </dt> -<dt>Q: <a href="#id2732394"> +<dt>Q: <a href="#id2563800"> What programs are protected by the targeted policy? </a> </dt> -<dt>Q: <a href="#id2745278"> +<dt>Q: <a href="#id2576685"> What about the strict policy? Does it even work? </a> </dt> -<dt>Q: <a href="#id2745344"> +<dt>Q: <a href="#id2576751"> What is the mls policy? Who is it for? </a> </dt> @@ -228,15 +228,15 @@ What is the Reference Policy? </a> </dt> -<dt>Q: <a href="#id2745437"> +<dt>Q: <a href="#id2576844"> What are file contexts? </a> </dt> -<dt>Q: <a href="#id2745502"> +<dt>Q: <a href="#id2576909"> How do I view the security context of a file, user, or process? </a> </dt> -<dt>Q: <a href="#id2745540"> +<dt>Q: <a href="#id2576946"> What is the difference between a domain and a type? </a> @@ -253,19 +253,19 @@ <dt>1.2. <a href="#faq-div-controlling-selinux">Controlling SELinux</a> </dt> <dd><dl> -<dt>Q: <a href="#id2783681"> +<dt>Q: <a href="#id2615086"> How do I install/not install SELinux? </a> </dt> -<dt>Q: <a href="#id2783707"> +<dt>Q: <a href="#id2615112"> How do I switch the policy I am currently using? </a> </dt> -<dt>Q: <a href="#id2783924"> +<dt>Q: <a href="#id2615328"> How can I back up files from an SELinux file system? </a> </dt> -<dt>Q: <a href="#id2784024"> +<dt>Q: <a href="#id2615428"> How can I install the strict policy by default with kickstart? </a> </dt> @@ -274,49 +274,49 @@ the targeted policy? </a> </dt> -<dt>Q: <a href="#id2784146"> +<dt>Q: <a href="#id2615550"> How do I make a user public_html directory work under SELinux? </a> </dt> -<dt>Q: <a href="#id2784358"> +<dt>Q: <a href="#id2615762"> How do I turn SELinux off at boot? </a> </dt> -<dt>Q: <a href="#id2784418"> +<dt>Q: <a href="#id2615823"> How do I turn enforcing on/off at boot? </a> </dt> -<dt>Q: <a href="#id2784537"> +<dt>Q: <a href="#id2615940"> How do I temporarily turn off enforcing mode without having to reboot? </a> </dt> -<dt>Q: <a href="#id2784604"> +<dt>Q: <a href="#id2616008"> How do I turn system call auditing on/off at boot? </a> </dt> -<dt>Q: <a href="#id2784647"> +<dt>Q: <a href="#id2616051"> How do I temporarily turn off system-call auditing without having to reboot? </a> </dt> -<dt>Q: <a href="#id2784672"> +<dt>Q: <a href="#id2616076"> How do I get status info about my SELinux installation? </a> </dt> -<dt>Q: <a href="#id2784703"> +<dt>Q: <a href="#id2616107"> How do I write policy to allow a domain to use pam_unix.so? </a> </dt> -<dt>Q: <a href="#id2784794"> +<dt>Q: <a href="#id2616198"> In the past I have written local.te file in policy sources for my own local customization to policy, how do I do this with Reference Policy? </a> </dt> -<dt>Q: <a href="#id2784972"> - I created a new Policy Package where do I put it to make sure that +<dt>Q: <a href="#id2616375"> + I created a new Policy Package, where do I put it to make sure that it gets loaded into the kernel? </a> </dt> @@ -324,46 +324,46 @@ <dt>1.3. <a href="#faq-div-resolving-problems">Resolving Problems</a> </dt> <dd><dl> -<dt>Q: <a href="#id2785038"> +<dt>Q: <a href="#id2616441"> My application isn't working as expected and I am seeing avc: denied messages. How do I fix this? </a> </dt> -<dt>Q: <a href="#id2785134"> +<dt>Q: <a href="#id2616536"> I installed Fedora Core on a system with an existing /home partition, and now I can't log in. </a> </dt> -<dt>Q: <a href="#id2785231"> +<dt>Q: <a href="#id2616634"> After relabeling my /home using - setfiles or fixfiles, will I + setfiles or fixfiles, am I still be able to read /home with a non-SELinux-enabled system? </a> </dt> -<dt>Q: <a href="#id2785289"> +<dt>Q: <a href="#id2616691"> How do I share directories using NFS between Fedora Core and non-SELinux systems? </a> </dt> -<dt>Q: <a href="#id2785356"> +<dt>Q: <a href="#id2616759"> How can I create a new Linux user account with the user's home directory having the proper context? </a> </dt> -<dt>Q: <a href="#id2785474"> +<dt>Q: <a href="#id2616876"> I'm having troubles with avc errors filling my logs for a particular program. How do I choose not to audit the access for it? </a> </dt> -<dt>Q: <a href="#id2785559"> +<dt>Q: <a href="#id2616961"> Even running in permissive mode, I'm getting a large number of avc denied messages. </a> </dt> -<dt>Q: <a href="#id2785601"> +<dt>Q: <a href="#id2617009"> I get a specific permission denial only when SELinux is in enforcing mode, but I don't see any audit messages in /var/log/messages (or @@ -372,97 +372,97 @@ cause of these silent denials? </a> </dt> -<dt>Q: <a href="#id2785724"> +<dt>Q: <a href="#id2617132"> Why do I not see the output when I run certain daemons in debug or interactive mode? </a> </dt> -<dt>Q: <a href="#id2785822"> +<dt>Q: <a href="#id2617236"> When I do an upgrade of the policy package (for example, using yum), what happens with the policy? Is it updated automatically? </a> </dt> -<dt>Q: <a href="#id2785920"> +<dt>Q: <a href="#id2617335"> If the policy shipping with an application package changes in a way that requires relabeling, will RPM handle relabeling the files owned by the package? </a> </dt> -<dt>Q: <a href="#id2786002"> +<dt>Q: <a href="#id2617417"> Why do binary policies distributed with Fedora, such as /etc/selinux/<policyname>/policy/policy.<version>, and those I compile myself have different sizes and MD5 checksums? </a> </dt> -<dt>Q: <a href="#id2786066"> +<dt>Q: <a href="#id2617480"> Will new policy packages disable my system? </a> </dt> -<dt>Q: <a href="#id2786102"> +<dt>Q: <a href="#id2617516"> How can I help write policy? </a> </dt> -<dt>Q: <a href="#id2786409"> +<dt>Q: <a href="#id2617824"> My console is being flooded with messages. How do I turn them off? </a> </dt> -<dt>Q: <a href="#id2786440"> +<dt>Q: <a href="#id2617854"> Can I test the default policy without installing the policy source? </a> </dt> -<dt>Q: <a href="#id2786537"> +<dt>Q: <a href="#id2617952"> Why are some of my KDE applications having trouble under SELinux? </a> </dt> -<dt>Q: <a href="#id2786613"> +<dt>Q: <a href="#id2618028"> Why does SELINUX=disabled not work for me? </a> </dt> -<dt>Q: <a href="#id2786640"> +<dt>Q: <a href="#id2618055"> I have a process running as unconfined_t, and SELinux is still preventing my application from running. </a> </dt> -<dt>Q: <a href="#id2786780"> +<dt>Q: <a href="#id2618194"> What do these rpm errors mean? </a> </dt> -<dt>Q: <a href="#id2729318"> +<dt>Q: <a href="#id2618270"> I want to run a daemon on a non standard port but SELinux will not allow me. How do get this to work? </a> </dt> -<dt>Q: <a href="#id2729356"> +<dt>Q: <a href="#id2618308"> How do I add additional translations to my MCS/MLS system? </a> </dt> -<dt>Q: <a href="#id2787091"> +<dt>Q: <a href="#id2618365"> I have setup my MCS/MLS translations, now I want to designate which users can read a given category? </a> </dt> -<dt>Q: <a href="#id2787145"> +<dt>Q: <a href="#id2618419"> I am writing an php script that needs to create temporary files in /tmp and then execute them, SELinux policy is preventing this. What should I do? </a> </dt> -<dt>Q: <a href="#id2787191"> +<dt>Q: <a href="#id2618465"> I am setting up swapping to a file, but I am seeing AVC messages in my log files? </a> </dt> -<dt>Q: <a href="#id2787228"> +<dt>Q: <a href="#id2618502"> Please explain the relabelto/relabelfrom permissions? </a> </dt> -<dt>Q: <a href="#id2787324"> +<dt>Q: <a href="#id2618598"> Where are SELinux AVC messages (denial logs, etc.) stored? </a> </dt> @@ -470,20 +470,20 @@ <dt>1.4. <a href="#faq-div-deploying-selinux">Deploying SELinux</a> </dt> <dd><dl> -<dt>Q: <a href="#id2787378"> +<dt>Q: <a href="#id2618652"> What file systems can I use for SELinux? </a> </dt> -<dt>Q: <a href="#id2787412"> +<dt>Q: <a href="#id2618686"> How does SELinux impact system performance? </a> </dt> -<dt>Q: <a href="#id2787443"> +<dt>Q: <a href="#id2618717"> What types of deployments, applications, and systems should I leverage SELinux in? </a> </dt> -<dt>Q: <a href="#id2787512"> +<dt>Q: <a href="#id2618786"> How does SELinux affect third-party applications? </a> </dt> @@ -497,11 +497,11 @@ <a name="faq-div-understanding-selinux"></a>1.1. Understanding SELinux</h4> </td></tr> <tr class="toc" colspan="2"><td align="left" valign="top" colspan="2"><dl> -<dt>Q: <a href="#id2730692"> +<dt>Q: <a href="#id2562097"> What is SELinux? </a> </dt> -<dt>Q: <a href="#id2732137"> +<dt>Q: <a href="#id2563544"> What is SELinux policy? </a> </dt> @@ -509,15 +509,15 @@ What is the SELinux targeted policy? </a> </dt> -<dt>Q: <a href="#id2732394"> +<dt>Q: <a href="#id2563800"> What programs are protected by the targeted policy? </a> </dt> -<dt>Q: <a href="#id2745278"> +<dt>Q: <a href="#id2576685"> What about the strict policy? Does it even work? </a> </dt> -<dt>Q: <a href="#id2745344"> +<dt>Q: <a href="#id2576751"> What is the mls policy? Who is it for? </a> </dt> @@ -525,15 +525,15 @@ What is the Reference Policy? </a> </dt> -<dt>Q: <a href="#id2745437"> +<dt>Q: <a href="#id2576844"> What are file contexts? </a> </dt> -<dt>Q: <a href="#id2745502"> +<dt>Q: <a href="#id2576909"> How do I view the security context of a file, user, or process? </a> </dt> -<dt>Q: <a href="#id2745540"> +<dt>Q: <a href="#id2576946"> What is the difference between a domain and a type? </a> @@ -549,7 +549,7 @@ </dl></td></tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2730692"></a><a name="id2730694"></a><b>Q:</b> +<a name="id2562097"></a><a name="id2562099"></a><b>Q:</b> </td> <td align="left" valign="top"><p> What is SELinux? @@ -628,7 +628,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2732137"></a><a name="qa-whatis-policy"></a><b>Q:</b> +<a name="id2563544"></a><a name="qa-whatis-policy"></a><b>Q:</b> </td> <td align="left" valign="top"><p> What is SELinux policy? @@ -679,7 +679,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="qa-whatis-targeted-policy"></a><a name="id2732292"></a><b>Q:</b> +<a name="qa-whatis-targeted-policy"></a><a name="id2563697"></a><b>Q:</b> </td> <td align="left" valign="top"><p> What is the SELinux targeted policy? @@ -734,7 +734,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2732394"></a><a name="id2732396"></a><b>Q:</b> +<a name="id2563800"></a><a name="id2563802"></a><b>Q:</b> </td> <td align="left" valign="top"><p> What programs are protected by the targeted policy? @@ -834,7 +834,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2745278"></a><a name="id2745280"></a><b>Q:</b> +<a name="id2576685"></a><a name="id2576687"></a><b>Q:</b> </td> <td align="left" valign="top"><p> What about the strict policy? Does it even work? @@ -864,7 +864,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2745344"></a><a name="id2745346"></a><b>Q:</b> +<a name="id2576751"></a><a name="id2576753"></a><b>Q:</b> </td> <td align="left" valign="top"><p> What is the mls policy? Who is it for? @@ -891,7 +891,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="faq-entry-whatis-refpolicy"></a><a name="id2745387"></a><b>Q:</b> +<a name="faq-entry-whatis-refpolicy"></a><a name="id2576793"></a><b>Q:</b> </td> <td align="left" valign="top"><p> What is the Reference Policy? @@ -927,7 +927,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2745437"></a><a name="id2745439"></a><b>Q:</b> +<a name="id2576844"></a><a name="id2576846"></a><b>Q:</b> </td> <td align="left" valign="top"><p> What are file contexts? @@ -954,7 +954,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2745502"></a><a name="id2745504"></a><b>Q:</b> +<a name="id2576909"></a><a name="id2576911"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How do I view the security context of a file, user, or process? @@ -976,7 +976,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2745540"></a><a name="id2745542"></a><b>Q:</b> +<a name="id2576946"></a><a name="id2576948"></a><b>Q:</b> </td> <td align="left" valign="top"><p> What is the difference between a <em class="firstterm">domain</em> and @@ -994,7 +994,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="faq-entry-whatare-policy-modules"></a><a name="id2745578"></a><b>Q:</b> +<a name="faq-entry-whatare-policy-modules"></a><a name="id2576983"></a><b>Q:</b> </td> <td align="left" valign="top"><p> What are policy modules? @@ -1011,7 +1011,7 @@ means that third party developers can ship policy modules with their applications, and then they can be added to the policy without having to switch out the entire policy in much the - same way that kernel modules can add funcationality to the kernel + same way that kernel modules can add functionality to the kernel without having to reboot the entire system. </p> <p> @@ -1023,7 +1023,7 @@ </p> <p> The primary command for dealing with modules is - <span><strong class="command">semodule</strong></span>, which will let you perform basic + <span><strong class="command">semodule</strong></span>, which lets you perform basic functions such as installing, upgrading, or removing modules. Modules are usually stored as policy package file (.pp extension) in @@ -1035,7 +1035,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="faq-entry-whatis-managed-policy"></a><a name="id2745651"></a><b>Q:</b> +<a name="faq-entry-whatis-managed-policy"></a><a name="id2577056"></a><b>Q:</b> </td> <td align="left" valign="top"><p> What is managed policy? @@ -1048,7 +1048,7 @@ Prior to Fedora Core 5, SELinux policies were handled as user-editable config files in etc. Unfortunately, this made it difficult to address many of the usability issues arising with SELinux. So, a - new libraray, <code class="filename">libsemanage</code>, was added to + new library, <code class="filename">libsemanage</code>, was added to provide userspace tools an interface to making policy management easier. All policy management should use this library to access the policy store. The policy store holds all the policy @@ -1070,19 +1070,19 @@ <a name="faq-div-controlling-selinux"></a>1.2. Controlling SELinux</h4> </td></tr> <tr class="toc" colspan="2"><td align="left" valign="top" colspan="2"><dl> -<dt>Q: <a href="#id2783681"> +<dt>Q: <a href="#id2615086"> How do I install/not install SELinux? </a> </dt> -<dt>Q: <a href="#id2783707"> +<dt>Q: <a href="#id2615112"> How do I switch the policy I am currently using? </a> </dt> -<dt>Q: <a href="#id2783924"> +<dt>Q: <a href="#id2615328"> How can I back up files from an SELinux file system? </a> </dt> -<dt>Q: <a href="#id2784024"> +<dt>Q: <a href="#id2615428"> How can I install the strict policy by default with kickstart? </a> </dt> @@ -1091,56 +1091,56 @@ the targeted policy? </a> </dt> -<dt>Q: <a href="#id2784146"> +<dt>Q: <a href="#id2615550"> How do I make a user public_html directory work under SELinux? </a> </dt> -<dt>Q: <a href="#id2784358"> +<dt>Q: <a href="#id2615762"> How do I turn SELinux off at boot? </a> </dt> -<dt>Q: <a href="#id2784418"> +<dt>Q: <a href="#id2615823"> How do I turn enforcing on/off at boot? </a> </dt> -<dt>Q: <a href="#id2784537"> +<dt>Q: <a href="#id2615940"> How do I temporarily turn off enforcing mode without having to reboot? </a> </dt> -<dt>Q: <a href="#id2784604"> +<dt>Q: <a href="#id2616008"> How do I turn system call auditing on/off at boot? </a> </dt> -<dt>Q: <a href="#id2784647"> +<dt>Q: <a href="#id2616051"> How do I temporarily turn off system-call auditing without having to reboot? </a> </dt> -<dt>Q: <a href="#id2784672"> +<dt>Q: <a href="#id2616076"> How do I get status info about my SELinux installation? </a> </dt> -<dt>Q: <a href="#id2784703"> +<dt>Q: <a href="#id2616107"> How do I write policy to allow a domain to use pam_unix.so? </a> </dt> -<dt>Q: <a href="#id2784794"> +<dt>Q: <a href="#id2616198"> In the past I have written local.te file in policy sources for my own local customization to policy, how do I do this with Reference Policy? </a> </dt> -<dt>Q: <a href="#id2784972"> - I created a new Policy Package where do I put it to make sure that +<dt>Q: <a href="#id2616375"> + I created a new Policy Package, where do I put it to make sure that it gets loaded into the kernel? </a> </dt> </dl></td></tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2783681"></a><a name="id2783683"></a><b>Q:</b> +<a name="id2615086"></a><a name="id2615088"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How do I install/not install SELinux? @@ -1156,7 +1156,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2783707"></a><a name="id2783709"></a><b>Q:</b> +<a name="id2615112"></a><a name="id2615114"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How do I switch the policy I am currently using? @@ -1184,7 +1184,7 @@ select <span class="guimenu">Desktop</span> â?? <span class="guisubmenu">System Settings</span> â?? <span class="guimenuitem">Security level</span>, or from a terminal, run <span><strong class="command">system-config-securitylevel</strong></span>. Change the policy as desired and ensure that the <span class="guilabel">Relabel on next - reboot</span> option is enaled. + reboot</span> option is enabled. </p> <p> You can also perform these steps manually with the following @@ -1201,8 +1201,8 @@ SELINUX=permissive</code></strong> </pre> <p> - This step ensures you will not be locked out after rebooting. - SELinux will run under the correct policy, but will allow you to + This step ensures are not locked out after rebooting. + SELinux runs under the correct policy, but does allow you to login if there is a problem such as incorrect file context labeling. </p> @@ -1248,7 +1248,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2783924"></a><a name="id2783926"></a><b>Q:</b> +<a name="id2615328"></a><a name="id2615331"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How can I back up files from an SELinux file system? @@ -1279,9 +1279,9 @@ If you use an absolute path, such as <code class="filename">/var/log/maillog</code>, when you unpack the archive with <span><strong class="command">star -c - -f</strong></span>, the files will be restored on the same path they - were archived with. The <code class="filename">maillog</code> file will - attempt to write to <code class="filename">/var/log/maillog</code>. You + -f</strong></span>, the files are restored on the same path they + were archived with. The <code class="filename">maillog</code> file + attempts to write to <code class="filename">/var/log/maillog</code>. You should received a warning from <span><strong class="command">star</strong></span> if the files about to be overwritten have a later date, but you cannot rely on this behavior. @@ -1295,7 +1295,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2784024"></a><a name="id2784026"></a><b>Q:</b> +<a name="id2615428"></a><a name="id2615430"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How can I install the strict policy by default with kickstart? @@ -1322,7 +1322,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="qa-using-s-c-securitylevel"></a><a name="id2784095"></a><b>Q:</b> +<a name="qa-using-s-c-securitylevel"></a><a name="id2615500"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How do I enable/disable SELinux protection on specific daemons under @@ -1346,7 +1346,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2784146"></a><a name="id2784148"></a><b>Q:</b> +<a name="id2615550"></a><a name="id2615552"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How do I make a user <code class="filename">public_html</code> directory @@ -1379,7 +1379,7 @@ <li> <p> At this point, <span><strong class="command">httpd</strong></span> is configured to serve - the contents, but you will still receive a <code class="computeroutput">403 + the contents, but you still receive a <code class="computeroutput">403 forbidden</code> error. This is because <span><strong class="command">httpd</strong></span> is not allowed to read the security type for the directory and files as they are created in the @@ -1422,7 +1422,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2784358"></a><a name="id2784361"></a><b>Q:</b> +<a name="id2615762"></a><a name="id2615766"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How do I turn SELinux off at boot? @@ -1446,8 +1446,8 @@ </tr> <tr><td align="left" valign="top"><p> If you boot with <code class="option">selinux=0</code>, any files you - create while SELinux is disabled will not have SELinux context - information. The file system will be marked for relabeling at + create while SELinux is disabled do not have SELinux context + information. The file system is marked for relabeling at the next boot. If an unforeseen problem prevents you from rebooting normally, you may need to boot in single-user mode for recovery. Add the option <code class="option">emergency</code> to your @@ -1458,7 +1458,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2784418"></a><a name="id2784420"></a><b>Q:</b> +<a name="id2615823"></a><a name="id2615825"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How do I turn enforcing on/off at boot? @@ -1512,7 +1512,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2784537"></a><a name="id2784539"></a><b>Q:</b> +<a name="id2615940"></a><a name="id2615942"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How do I temporarily turn off enforcing mode without having to @@ -1548,7 +1548,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2784604"></a><a name="id2784606"></a><b>Q:</b> +<a name="id2616008"></a><a name="id2616010"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How do I turn system call auditing on/off at boot? @@ -1573,7 +1573,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2784647"></a><a name="id2784649"></a><b>Q:</b> +<a name="id2616051"></a><a name="id2616053"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How do I temporarily turn off system-call auditing without having @@ -1584,12 +1584,12 @@ <td align="left" valign="top"><b>A:</b></td> <td align="left" valign="top"><p> Run <span><strong class="command">auditctl -e 0</strong></span>. Note that this command - will not affect auditing of SELinux AVC denials. + does not affect auditing of SELinux AVC denials. </p></td> </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2784672"></a><a name="id2784674"></a><b>Q:</b> +<a name="id2616076"></a><a name="id2616078"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How do I get status info about my SELinux installation? @@ -1605,7 +1605,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2784703"></a><a name="id2784705"></a><b>Q:</b> +<a name="id2616107"></a><a name="id2616109"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How do I write policy to allow a domain to use pam_unix.so? @@ -1647,7 +1647,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2784794"></a><a name="id2784797"></a><b>Q:</b> +<a name="id2616198"></a><a name="id2616200"></a><b>Q:</b> </td> <td align="left" valign="top"><p> In the past I have written local.te file in policy sources for my @@ -1668,7 +1668,7 @@ <span><strong class="command">audit2allow -M local < /tmp/avcs</strong></span> </pre> <p> - This will create a <code class="filename">local.pp</code> which you can + This creates a <code class="filename">local.pp</code> which you can then load into the kernel using <span><strong class="command">semodule -i local.pp</strong></span>. You can also edit the <code class="filename">local.te</code> to make @@ -1676,7 +1676,7 @@ </p> <pre class="screen"> <code class="computeroutput">audit2allow -M local -l -i /var/log/messages -Generating type enforcment file: local.te +Generating type enforcement file: local.te Compiling policy checkmodule -M -m -o local.mod local.te semodule_package -o local.pp -m local.mod @@ -1693,8 +1693,8 @@ If you were using the audit daemon, then you should use <code class="filename">/var/log/audit/audit.log</code> instead of <code class="filename">/var/log/messages</code> as your log file. - This will generate a <code class="filename">local.te</code> file, that - looks something like the following: + This generates a <code class="filename">local.te</code> file, that + looks similar to the following: </p> <pre class="screen"> <code class="computeroutput">module local 1.0; @@ -1738,10 +1738,10 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2784972"></a><a name="id2784974"></a><b>Q:</b> +<a name="id2616375"></a><a name="id2616378"></a><b>Q:</b> </td> <td align="left" valign="top"><p> - I created a new Policy Package where do I put it to make sure that + I created a new Policy Package, where do I put it to make sure that it gets loaded into the kernel? </p></td> </tr> @@ -1749,15 +1749,13 @@ <td align="left" valign="top"><b>A:</b></td> <td align="left" valign="top"> <p> - All you need to do execute the - <span><strong class="command">semodule -i myapp.pp</strong></span> - command. This modifies the policy that is stored on the machine. - Everytime for now on your policy module will get loaded with the - rest of the policy. You can even remove the pp file from the - system. + You need to execute the command <span><strong class="command">semodule -i + myapp.pp</strong></span>. This modifies the policy that is stored on the + machine. Your policy module now is loaded with the rest of the + policy. You can even remove the pp file from the system. </p> <p> - <span><strong class="command">semodule -l</strong></span> will list the currently loaded + <span><strong class="command">semodule -l</strong></span> lists the currently loaded modules. </p> <pre class="screen"> @@ -1775,46 +1773,46 @@ <a name="faq-div-resolving-problems"></a>1.3. Resolving Problems</h4> </td></tr> <tr class="toc" colspan="2"><td align="left" valign="top" colspan="2"><dl> -<dt>Q: <a href="#id2785038"> +<dt>Q: <a href="#id2616441"> My application isn't working as expected and I am seeing avc: denied messages. How do I fix this? </a> </dt> -<dt>Q: <a href="#id2785134"> +<dt>Q: <a href="#id2616536"> I installed Fedora Core on a system with an existing /home partition, and now I can't log in. </a> </dt> -<dt>Q: <a href="#id2785231"> +<dt>Q: <a href="#id2616634"> After relabeling my /home using - setfiles or fixfiles, will I + setfiles or fixfiles, am I still be able to read /home with a non-SELinux-enabled system? </a> </dt> -<dt>Q: <a href="#id2785289"> +<dt>Q: <a href="#id2616691"> How do I share directories using NFS between Fedora Core and non-SELinux systems? </a> </dt> -<dt>Q: <a href="#id2785356"> +<dt>Q: <a href="#id2616759"> How can I create a new Linux user account with the user's home directory having the proper context? </a> </dt> -<dt>Q: <a href="#id2785474"> +<dt>Q: <a href="#id2616876"> I'm having troubles with avc errors filling my logs for a particular program. How do I choose not to audit the access for it? </a> </dt> -<dt>Q: <a href="#id2785559"> +<dt>Q: <a href="#id2616961"> Even running in permissive mode, I'm getting a large number of avc denied messages. </a> </dt> -<dt>Q: <a href="#id2785601"> +<dt>Q: <a href="#id2617009"> I get a specific permission denial only when SELinux is in enforcing mode, but I don't see any audit messages in /var/log/messages (or @@ -1823,104 +1821,104 @@ cause of these silent denials? </a> </dt> -<dt>Q: <a href="#id2785724"> +<dt>Q: <a href="#id2617132"> Why do I not see the output when I run certain daemons in debug or interactive mode? </a> </dt> -<dt>Q: <a href="#id2785822"> +<dt>Q: <a href="#id2617236"> When I do an upgrade of the policy package (for example, using yum), what happens with the policy? Is it updated automatically? </a> </dt> -<dt>Q: <a href="#id2785920"> +<dt>Q: <a href="#id2617335"> If the policy shipping with an application package changes in a way that requires relabeling, will RPM handle relabeling the files owned by the package? </a> </dt> -<dt>Q: <a href="#id2786002"> +<dt>Q: <a href="#id2617417"> Why do binary policies distributed with Fedora, such as /etc/selinux/<policyname>/policy/policy.<version>, and those I compile myself have different sizes and MD5 checksums? </a> </dt> -<dt>Q: <a href="#id2786066"> +<dt>Q: <a href="#id2617480"> Will new policy packages disable my system? </a> </dt> -<dt>Q: <a href="#id2786102"> +<dt>Q: <a href="#id2617516"> How can I help write policy? </a> </dt> -<dt>Q: <a href="#id2786409"> +<dt>Q: <a href="#id2617824"> My console is being flooded with messages. How do I turn them off? </a> </dt> -<dt>Q: <a href="#id2786440"> +<dt>Q: <a href="#id2617854"> Can I test the default policy without installing the policy source? </a> </dt> -<dt>Q: <a href="#id2786537"> +<dt>Q: <a href="#id2617952"> Why are some of my KDE applications having trouble under SELinux? </a> </dt> -<dt>Q: <a href="#id2786613"> +<dt>Q: <a href="#id2618028"> Why does SELINUX=disabled not work for me? </a> </dt> -<dt>Q: <a href="#id2786640"> +<dt>Q: <a href="#id2618055"> I have a process running as unconfined_t, and SELinux is still preventing my application from running. </a> </dt> -<dt>Q: <a href="#id2786780"> +<dt>Q: <a href="#id2618194"> What do these rpm errors mean? </a> </dt> -<dt>Q: <a href="#id2729318"> +<dt>Q: <a href="#id2618270"> I want to run a daemon on a non standard port but SELinux will not allow me. How do get this to work? </a> </dt> -<dt>Q: <a href="#id2729356"> +<dt>Q: <a href="#id2618308"> How do I add additional translations to my MCS/MLS system? </a> </dt> -<dt>Q: <a href="#id2787091"> +<dt>Q: <a href="#id2618365"> I have setup my MCS/MLS translations, now I want to designate which users can read a given category? </a> </dt> -<dt>Q: <a href="#id2787145"> +<dt>Q: <a href="#id2618419"> I am writing an php script that needs to create temporary files in /tmp and then execute them, SELinux policy is preventing this. What should I do? </a> </dt> -<dt>Q: <a href="#id2787191"> +<dt>Q: <a href="#id2618465"> I am setting up swapping to a file, but I am seeing AVC messages in my log files? </a> </dt> -<dt>Q: <a href="#id2787228"> +<dt>Q: <a href="#id2618502"> Please explain the relabelto/relabelfrom permissions? </a> </dt> -<dt>Q: <a href="#id2787324"> +<dt>Q: <a href="#id2618598"> Where are SELinux AVC messages (denial logs, etc.) stored? </a> </dt> </dl></td></tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2785038"></a><a name="id2785041"></a><b>Q:</b> +<a name="id2616441"></a><a name="id2616443"></a><b>Q:</b> </td> <td align="left" valign="top"><p> My application isn't working as expected and I am seeing @@ -1967,7 +1965,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2785134"></a><a name="id2785136"></a><b>Q:</b> +<a name="id2616536"></a><a name="id2616539"></a><b>Q:</b> </td> <td align="left" valign="top"><p> I installed Fedora Core on a system with an existing @@ -2003,11 +2001,11 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2785231"></a><a name="id2785233"></a><b>Q:</b> +<a name="id2616634"></a><a name="id2616636"></a><b>Q:</b> </td> <td align="left" valign="top"><p> After relabeling my <code class="filename">/home</code> using - <span><strong class="command">setfiles</strong></span> or <span><strong class="command">fixfiles</strong></span>, will I + <span><strong class="command">setfiles</strong></span> or <span><strong class="command">fixfiles</strong></span>, am I still be able to read <code class="filename">/home</code> with a non-SELinux-enabled system? </p></td> @@ -2017,7 +2015,7 @@ <td align="left" valign="top"><p> You can read the files from a non-SELinux distribution, or one with SELinux disabled. However, files created by a system not using SELinux - systems will not have a security context, nor will any files you + systems do not have a security context, nor do any files you remove and recreate. This could be a challenge with files such as <code class="filename">~/.bashrc</code>. You may have to relabel <code class="filename">/home</code> when you reboot the SELinux enabled Fedora Core @@ -2026,7 +2024,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2785289"></a><a name="id2785291"></a><b>Q:</b> +<a name="id2616691"></a><a name="id2616693"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How do I share directories using NFS between Fedora Core and non-SELinux @@ -2042,7 +2040,7 @@ </p> <p> When you mount a non-SELinux file system via NFS, by default SELinux - will treat all the files in the share as having a context of + treats all the files in the share as having a context of <code class="computeroutput">nfs_t</code>. You can override the default context by setting it manually, using the <code class="option">context=</code> option. The following command makes @@ -2062,7 +2060,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2785356"></a><a name="id2785358"></a><b>Q:</b> +<a name="id2616759"></a><a name="id2616761"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How can I create a new Linux user account with the user's home @@ -2076,7 +2074,7 @@ You can create your new user with the standard <span><strong class="command">useradd</strong></span> command. First you must become <code class="systemitem">root</code>. Under the strict - policy you will need to change role to + policy you need to change role to <code class="computeroutput">sysadm_r</code> with the following command: </p> @@ -2084,7 +2082,7 @@ <strong class="userinput"><code>newrole -r sysadm_r</code></strong> </pre> <p> - For the targeted policy you will not need + For the targeted policy you do not need to switch roles, staying in <code class="computeroutput">unconfined_t</code>: </p> @@ -2099,7 +2097,7 @@ <p> The initial context for a new user directory has an identity of <code class="computeroutput">root</code>. Subsequent relabeling of - the file system will change the identity to + the file system changes the identity to <code class="computeroutput">system_u</code>. These are functionally the same since the role and type are identical (<code class="computeroutput">object_r:user_home_dir_t</code>.) @@ -2108,7 +2106,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2785474"></a><a name="id2785476"></a><b>Q:</b> +<a name="id2616876"></a><a name="id2616879"></a><b>Q:</b> </td> <td align="left" valign="top"><p> I'm having troubles with <span><strong class="command">avc</strong></span> errors filling my @@ -2137,7 +2135,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2785559"></a><a name="id2785561"></a><b>Q:</b> +<a name="id2616961"></a><a name="id2616963"></a><b>Q:</b> </td> <td align="left" valign="top"><p> Even running in permissive mode, I'm getting a large number of @@ -2166,7 +2164,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2785601"></a><a name="id2785603"></a><b>Q:</b> +<a name="id2617009"></a><a name="id2617011"></a><b>Q:</b> </td> <td align="left" valign="top"><p> I get a specific permission denial only when SELinux is in enforcing @@ -2188,7 +2186,7 @@ way when a benign denial is filling the audit logs. </p> <p> - To look for your particular denial, you will need to enable + To look for your particular denial, enable auditing of all <code class="computeroutput">dontaudit</code> rules: </p> <pre class="screen"> @@ -2204,14 +2202,14 @@ <tr><td align="left" valign="top"> <p> Enabling auditing of all - <code class="computeroutput">dontaudit</code> rules will likely + <code class="computeroutput">dontaudit</code> rules likely produce a large amount of audit information, most of which is irrelevant to your denial. </p> <p> Use this technique only if you are specifically looking for an audit message for a denial that seems to occur silently. You - will likely want to re-enable + want to re-enable <code class="computeroutput">dontaudit</code> rules as soon as possible. </p> @@ -2219,7 +2217,7 @@ </table></div> <p> Once you have found your problem you can reset to the default - mode by executin + mode by executing </p> <pre class="screen"> <span><strong class="command">semodule -b /usr/share/selinux/targeted/base.pp</strong></span> @@ -2228,7 +2226,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2785724"></a><a name="id2785727"></a><b>Q:</b> +<a name="id2617132"></a><a name="id2617135"></a><b>Q:</b> </td> <td align="left" valign="top"><p> Why do I not see the output when I run certain daemons in debug or @@ -2269,7 +2267,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2785822"></a><a name="id2785824"></a><b>Q:</b> +<a name="id2617236"></a><a name="id2617238"></a><b>Q:</b> </td> <td align="left" valign="top"><p> When I do an upgrade of the policy package (for example, using @@ -2316,7 +2314,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2785920"></a><a name="id2785922"></a><b>Q:</b> +<a name="id2617335"></a><a name="id2617337"></a><b>Q:</b> </td> <td align="left" valign="top"><p> If the policy shipping with an application package changes in a @@ -2335,7 +2333,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2786002"></a><a name="id2786006"></a><b>Q:</b> +<a name="id2617417"></a><a name="id2617420"></a><b>Q:</b> </td> <td align="left" valign="top"><p> Why do binary policies distributed with Fedora, such as @@ -2354,7 +2352,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2786066"></a><a name="id2786068"></a><b>Q:</b> +<a name="id2617480"></a><a name="id2617483"></a><b>Q:</b> </td> <td align="left" valign="top"><p> Will new policy packages disable my system? @@ -2377,7 +2375,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2786102"></a><a name="id2786104"></a><b>Q:</b> +<a name="id2617516"></a><a name="id2617518"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How can I help write policy? @@ -2464,7 +2462,7 @@ </li> <li> <p> - Since you have very limited policy for your executeable, + Since you have very limited policy for your executable, SELinux will prevent it from doing much. Turn on permissive mode and then use the init script to start your daemon: </p> @@ -2484,7 +2482,7 @@ use these instead of using the allow rules directly, whenever possible. <span><strong class="command">audit2allow -R</strong></span> will attempt to find interfaces that match the allow rule. - If you want more examples of polcy, you could always + If you want more examples of policy, you could always install the selinux-policy src rpm, which contains all of the policy te files for the reference policy. </p> @@ -2492,7 +2490,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2786409"></a><a name="id2786411"></a><b>Q:</b> +<a name="id2617824"></a><a name="id2617826"></a><b>Q:</b> </td> <td align="left" valign="top"><p> My console is being flooded with messages. How do I turn them @@ -2513,7 +2511,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2786440"></a><a name="id2786442"></a><b>Q:</b> +<a name="id2617854"></a><a name="id2617856"></a><b>Q:</b> </td> <td align="left" valign="top"><p> Can I test the default policy without installing the policy @@ -2550,7 +2548,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2786537"></a><a name="id2786540"></a><b>Q:</b> +<a name="id2617952"></a><a name="id2617954"></a><b>Q:</b> </td> <td align="left" valign="top"><p> Why are some of my KDE applications having trouble under SELinux? @@ -2585,7 +2583,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2786613"></a><a name="id2786615"></a><b>Q:</b> +<a name="id2618028"></a><a name="id2618030"></a><b>Q:</b> </td> <td align="left" valign="top"><p> Why does <code class="option">SELINUX=disabled</code> not work for me? @@ -2601,7 +2599,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2786640"></a><a name="id2786642"></a><b>Q:</b> +<a name="id2618055"></a><a name="id2618057"></a><b>Q:</b> </td> <td align="left" valign="top"><p> I have a process running as @@ -2625,7 +2623,7 @@ <dd><p> This is usually based on a library label. You can change the context on the library with the - <span><strong class="command">chcon -t testrel_shlib_t + <span><strong class="command">chcon -t textrel_shlib_t <em class="replaceable"><code>LIBRARY</code></em></strong></span>. Now your application can run. Please report this as a bugzilla. </p></dd> @@ -2658,7 +2656,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2786780"></a><a name="id2786782"></a><b>Q:</b> +<a name="id2618194"></a><a name="id2618196"></a><b>Q:</b> </td> <td align="left" valign="top"><p> What do these rpm errors mean? @@ -2699,7 +2697,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2729318"></a><a name="id2729320"></a><b>Q:</b> +<a name="id2618270"></a><a name="id2618273"></a><b>Q:</b> </td> <td align="left" valign="top"><p> I want to run a daemon on a non standard port but SELinux will not @@ -2721,7 +2719,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2729356"></a><a name="id2729358"></a><b>Q:</b> +<a name="id2618308"></a><a name="id2618310"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How do I add additional translations to my MCS/MLS system? @@ -2761,7 +2759,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2787091"></a><a name="id2787093"></a><b>Q:</b> +<a name="id2618365"></a><a name="id2618367"></a><b>Q:</b> </td> <td align="left" valign="top"><p> I have setup my MCS/MLS translations, now I want to designate @@ -2795,7 +2793,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2787145"></a><a name="id2787148"></a><b>Q:</b> +<a name="id2618419"></a><a name="id2618421"></a><b>Q:</b> </td> <td align="left" valign="top"><p> I am writing an php script that needs to create temporary files in @@ -2816,7 +2814,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2787191"></a><a name="id2787193"></a><b>Q:</b> +<a name="id2618465"></a><a name="id2618467"></a><b>Q:</b> </td> <td align="left" valign="top"><p> I am setting up swapping to a file, but I am seeing AVC messages @@ -2837,7 +2835,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2787228"></a><a name="id2787230"></a><b>Q:</b> +<a name="id2618502"></a><a name="id2618504"></a><b>Q:</b> </td> <td align="left" valign="top"><p> Please explain the @@ -2883,7 +2881,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2787324"></a><a name="id2787326"></a><b>Q:</b> +<a name="id2618598"></a><a name="id2618600"></a><b>Q:</b> </td> <td align="left" valign="top"><p> Where are SELinux AVC messages (denial logs, etc.) stored? @@ -2909,27 +2907,27 @@ <a name="faq-div-deploying-selinux"></a>1.4. Deploying SELinux</h4> </td></tr> <tr class="toc" colspan="2"><td align="left" valign="top" colspan="2"><dl> -<dt>Q: <a href="#id2787378"> +<dt>Q: <a href="#id2618652"> What file systems can I use for SELinux? </a> </dt> -<dt>Q: <a href="#id2787412"> +<dt>Q: <a href="#id2618686"> How does SELinux impact system performance? </a> </dt> -<dt>Q: <a href="#id2787443"> +<dt>Q: <a href="#id2618717"> What types of deployments, applications, and systems should I leverage SELinux in? </a> </dt> -<dt>Q: <a href="#id2787512"> +<dt>Q: <a href="#id2618786"> How does SELinux affect third-party applications? </a> </dt> </dl></td></tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2787378"></a><a name="id2787381"></a><b>Q:</b> +<a name="id2618652"></a><a name="id2618654"></a><b>Q:</b> </td> <td align="left" valign="top"><p> What file systems can I use for SELinux? @@ -2955,7 +2953,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2787412"></a><a name="id2787420"></a><b>Q:</b> +<a name="id2618686"></a><a name="id2618694"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How does SELinux impact system performance? @@ -2975,7 +2973,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2787443"></a><a name="id2787446"></a><b>Q:</b> +<a name="id2618717"></a><a name="id2618719"></a><b>Q:</b> </td> <td align="left" valign="top"><p> What types of deployments, applications, and systems should I @@ -2996,7 +2994,7 @@ <p> In these edge servers, you can lock down the policy very tightly. The smaller number of interactions with other components makes - such a lockdown easier. A dedicated system running a specialized + such a lock down easier. A dedicated system running a specialized third-party application would also be a good candidate. </p> <p> @@ -3015,7 +3013,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2787512"></a><a name="id2787514"></a><b>Q:</b> +<a name="id2618786"></a><a name="id2618788"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How does SELinux affect third-party applications? @@ -3048,7 +3046,7 @@ package-maintainer, please consider including a policy module in your package. This will allow you to secure the behavior of your application with the power of SELinux for any user - insalling your package. + installing your package. </p> <p> One important value that Fedora Core testers and users bring to the
