Author: kwade Update of /cvs/fedora/web/html/docs/selinux-faq-fc5 In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15202 Modified Files: index.php Log Message: Updates with many bug fixes; refer to the internal revision history in the HTML file for specific details. View full diff with command: /usr/bin/cvs -f diff -kk -u -N -r 1.4 -r 1.5 index.php Index: index.php =================================================================== RCS file: /cvs/fedora/web/html/docs/selinux-faq-fc5/index.php,v retrieving revision 1.4 retrieving revision 1.5 diff -u -r1.4 -r1.5 --- index.php 7 Apr 2006 14:34:53 -0000 1.4 +++ index.php 28 Apr 2006 19:37:48 -0000 1.5 @@ -52,6 +52,18 @@ <div><div class="revhistory"><table border="1" width="100%" summary="Revision history"> <tr><th align="left" valign="top" colspan="3"><b>Revision History</b></th></tr> <tr> +<td align="left">Revision 1.5.6</td> +<td align="left">2006-04-28</td> +<td align="left">CS</td> +</tr> +<tr><td align="left" colspan="3"> + <p> + Fix for bz #18727, bz#139744, bz#144696, bz#147915, and + bz#190181; other fixes, including from + http://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions + </p> + </td></tr> +<tr> <td align="left">Revision 1.5.5</td> <td align="left">2006-04-07</td> <td align="left">KW</td> @@ -210,11 +222,11 @@ <dt>1.1. <a href="#faq-div-understanding-selinux">Understanding SELinux</a> </dt> <dd><dl> -<dt>Q: <a href="#id2925009"> +<dt>Q: <a href="#id2904784"> What is SELinux? </a> </dt> -<dt>Q: <a href="#id2926456"> +<dt>Q: <a href="#id2905989"> What is SELinux policy? </a> </dt> @@ -222,15 +234,15 @@ What is the SELinux targeted policy? </a> </dt> -<dt>Q: <a href="#id2926712"> +<dt>Q: <a href="#id2903411"> What programs are protected by the targeted policy? </a> </dt> -<dt>Q: <a href="#id2939593"> +<dt>Q: <a href="#id2919193"> What about the strict policy? Does it even work? </a> </dt> -<dt>Q: <a href="#id2939659"> +<dt>Q: <a href="#id2919259"> What is the mls policy? Who is it for? </a> </dt> @@ -238,15 +250,15 @@ What is the Reference Policy? </a> </dt> -<dt>Q: <a href="#id2939752"> +<dt>Q: <a href="#id2919352"> What are file contexts? </a> </dt> -<dt>Q: <a href="#id2939817"> +<dt>Q: <a href="#id2919417"> How do I view the security context of a file, user, or process? </a> </dt> -<dt>Q: <a href="#id2939854"> +<dt>Q: <a href="#id2919454"> What is the difference between a domain and a type? </a> @@ -263,69 +275,82 @@ <dt>1.2. <a href="#faq-div-controlling-selinux">Controlling SELinux</a> </dt> <dd><dl> -<dt>Q: <a href="#id2977994"> +<dt>Q: <a href="#id2957630"> How do I install/not install SELinux? </a> </dt> -<dt>Q: <a href="#id2978020"> +<dt>Q: <a href="#id2957656"> + As an administrator, what do I need to do to configure SELinux for + my system? + </a> +</dt> +<dt>Q: <a href="#qa-using-s-c-securitylevel"> + How do I enable/disable SELinux protection on specific daemons under + the targeted policy? + </a> +</dt> +<dt>Q: <a href="#faq-entry-local.te"> + In the past I have written local.te file in policy sources for my + own local customization to policy, how do I do this + in Fedora Core 5? + </a> +</dt> +<dt>Q: <a href="#id2958106"> + I have some avc denials that I would like to allow, how do I do this? + </a> +</dt> +<dt>Q: <a href="#id2958297"> + How can I help write policy? + </a> +</dt> +<dt>Q: <a href="#id2958611"> How do I switch the policy I am currently using? </a> </dt> -<dt>Q: <a href="#id2978236"> +<dt>Q: <a href="#id2958828"> How can I back up files from an SELinux file system? </a> </dt> -<dt>Q: <a href="#id2978336"> +<dt>Q: <a href="#id2958928"> How can I install the strict policy by default with kickstart? </a> </dt> -<dt>Q: <a href="#qa-using-s-c-securitylevel"> - How do I enable/disable SELinux protection on specific daemons under - the targeted policy? - </a> -</dt> -<dt>Q: <a href="#id2978458"> +<dt>Q: <a href="#faq-entry-public_html"> How do I make a user public_html directory work under SELinux? </a> </dt> -<dt>Q: <a href="#id2978670"> +<dt>Q: <a href="#id2959210"> How do I turn SELinux off at boot? </a> </dt> -<dt>Q: <a href="#id2978730"> +<dt>Q: <a href="#id2959271"> How do I turn enforcing on/off at boot? </a> </dt> -<dt>Q: <a href="#id2978848"> +<dt>Q: <a href="#id2959389"> How do I temporarily turn off enforcing mode without having to reboot? </a> </dt> -<dt>Q: <a href="#id2978916"> +<dt>Q: <a href="#id2959456"> How do I turn system call auditing on/off at boot? </a> </dt> -<dt>Q: <a href="#id2978959"> +<dt>Q: <a href="#id2959500"> How do I temporarily turn off system-call auditing without having to reboot? </a> </dt> -<dt>Q: <a href="#id2978984"> +<dt>Q: <a href="#id2959525"> How do I get status info about my SELinux installation? </a> </dt> -<dt>Q: <a href="#id2979014"> +<dt>Q: <a href="#id2959555"> How do I write policy to allow a domain to use pam_unix.so? </a> </dt> -<dt>Q: <a href="#id2979106"> - In the past I have written local.te file in policy sources for my - own local customization to policy, how do I do this with - Reference Policy? - </a> -</dt> -<dt>Q: <a href="#id2979283"> +<dt>Q: <a href="#id2959647"> I created a new Policy Package, where do I put it to make sure that it gets loaded into the kernel? </a> @@ -334,46 +359,55 @@ <dt>1.3. <a href="#faq-div-resolving-problems">Resolving Problems</a> </dt> <dd><dl> -<dt>Q: <a href="#id2979349"> +<dt>Q: <a href="#id2959713"> + Where are SELinux AVC messages (denial logs, etc.) stored? + </a> +</dt> +<dt>Q: <a href="#id2959759"> My application isn't working as expected and I am seeing avc: denied messages. How do I fix this? </a> [...2155 lines suppressed...] <tr class="question"> <td align="left" valign="top"> -<a name="id2981102"></a><a name="id2981104"></a><b>Q:</b> +<a name="id2961298"></a><a name="id2961301"></a><b>Q:</b> </td> <td align="left" valign="top"><p> What do these rpm errors mean? @@ -2676,17 +3039,6 @@ <td align="left" valign="top"><b>A:</b></td> <td align="left" valign="top"> <pre class="screen"> -<code class="computeroutput">genhomedircon: Warning! No support yet for expanding ROLE macros in the /etc/selinux/mls/contexts/files/homedir_template file when using libsemanage. -genhomedircon: You must manually update file_contexts.homedirs for any non-user_r users (including root).</code> -</pre> -<p> - Some of the interfaces are not complete yet for selinux. Most - users should not care about this warning. It will only affect you - if you are running the policy package that is reporting the - problem and have non standard SELinux role/user combinations. - IE You are using some custom policy. - </p> -<pre class="screen"> <code class="computeroutput">restorecon reset /etc/modprobe.conf context system_u:object_r:etc_runtime_t->system_u:object_r:modules_conf_t restorecon reset /etc/cups/ppd/homehp.ppd context user_u:object_r:cupsd_etc_t->system_u:object_r:cupsd_rw_etc_t</code> </pre> @@ -2707,7 +3059,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2981178"></a><a name="id2981180"></a><b>Q:</b> +<a name="id2961367"></a><a name="id2961369"></a><b>Q:</b> </td> <td align="left" valign="top"><p> I want to run a daemon on a non standard port but SELinux will not @@ -2729,7 +3081,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2981215"></a><a name="id2981218"></a><b>Q:</b> +<a name="id2961404"></a><a name="id2961406"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How do I add additional translations to my MCS/MLS system? @@ -2769,7 +3121,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2981273"></a><a name="id2981275"></a><b>Q:</b> +<a name="id2961461"></a><a name="id2961463"></a><b>Q:</b> </td> <td align="left" valign="top"><p> I have setup my MCS/MLS translations, now I want to designate @@ -2803,28 +3155,41 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2981327"></a><a name="id2981329"></a><b>Q:</b> +<a name="id2961515"></a><a name="id2961518"></a><b>Q:</b> </td> <td align="left" valign="top"><p> - I am writing an php script that needs to create temporary files in - <code class="filename">/tmp</code> and then execute them, SELinux policy is - preventing this. What should I do? + I am writing a php script that needs to create files + and possibly execute them. SELinux + policy is preventing this. What should I do? </p></td> </tr> <tr class="answer"> <td align="left" valign="top"><b>A:</b></td> -<td align="left" valign="top"><p> - You should avoid having system applications writing to the +<td align="left" valign="top"> +<p> + First, you should never allow a system service to execute + anything it can write. This gives an attacker the ability to + upload malicious code to the server and then execute it, which + is something we want to prevent. + </p> +<p> + If you merely need to allow your script to create + (non-executable) files, this is possible. That said, + you should avoid having system applications writing to the <code class="filename">/tmp</code> directory, since users tend to use the <code class="filename">/tmp</code> directory also. It would be better to create a directory elsewhere which could be owned by the apache process and allow your script to write to it. You should label the - directory <code class="computeroutput">httpd_sys_script_rw_t</code>. - </p></td> + directory <code class="computeroutput">httpd_sys_script_rw_t</code>, + which will allow apache to read and write files to that + directory. This directory could be located anywhere that apache + can get to (even <code class="filename">$HOME/public_html/</code>). + </p> +</td> </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2981373"></a><a name="id2981375"></a><b>Q:</b> +<a name="id2961573"></a><a name="id2961575"></a><b>Q:</b> </td> <td align="left" valign="top"><p> I am setting up swapping to a file, but I am seeing AVC messages @@ -2845,7 +3210,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2981410"></a><a name="id2981412"></a><b>Q:</b> +<a name="id2961610"></a><a name="id2961612"></a><b>Q:</b> </td> <td align="left" valign="top"><p> Please explain the @@ -2889,55 +3254,32 @@ </ul></div> </td> </tr> -<tr class="question"> -<td align="left" valign="top"> -<a name="id2981506"></a><a name="id2981508"></a><b>Q:</b> -</td> -<td align="left" valign="top"><p> - Where are SELinux AVC messages (denial logs, etc.) stored? - </p></td> -</tr> -<tr class="answer"> -<td align="left" valign="top"><b>A:</b></td> -<td align="left" valign="top"><p> - In Fedora Core 2 and 3, SELinux AVC messages could be found in - <code class="filename">/var/log/messages</code>. - In Fedora Core 4, the audit daemon was added, and these messages - moved to - <code class="filename">/var/log/audit/audit.log</code>. - In Fedora Core 5, the audit daemon is not installed by default, and - consequently these messages can be found in - <code class="filename">/var/log/messages</code> unless you choose to - install the audit daemon, in which case AVC messages will be in - <code class="filename">/var/log/audit/audit.log</code>. - </p></td> -</tr> <tr class="qandadiv"><td align="left" valign="top" colspan="2"> <a name="faq-div-deploying-selinux"></a><h4 class="title"> <a name="faq-div-deploying-selinux"></a>1.4. Deploying SELinux</h4> </td></tr> <tr class="toc" colspan="2"><td align="left" valign="top" colspan="2"><dl> -<dt>Q: <a href="#id2981560"> +<dt>Q: <a href="#id2961714"> What file systems can I use for SELinux? </a> </dt> -<dt>Q: <a href="#id2981594"> +<dt>Q: <a href="#id2961748"> How does SELinux impact system performance? </a> </dt> -<dt>Q: <a href="#id2981625"> +<dt>Q: <a href="#id2961779"> What types of deployments, applications, and systems should I leverage SELinux in? </a> </dt> -<dt>Q: <a href="#id2981694"> +<dt>Q: <a href="#id2961848"> How does SELinux affect third-party applications? </a> </dt> </dl></td></tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2981560"></a><a name="id2981562"></a><b>Q:</b> +<a name="id2961714"></a><a name="id2961717"></a><b>Q:</b> </td> <td align="left" valign="top"><p> What file systems can I use for SELinux? @@ -2963,7 +3305,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2981594"></a><a name="id2981602"></a><b>Q:</b> +<a name="id2961748"></a><a name="id2961756"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How does SELinux impact system performance? @@ -2983,7 +3325,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2981625"></a><a name="id2981627"></a><b>Q:</b> +<a name="id2961779"></a><a name="id2961782"></a><b>Q:</b> </td> <td align="left" valign="top"><p> What types of deployments, applications, and systems should I @@ -3023,7 +3365,7 @@ </tr> <tr class="question"> <td align="left" valign="top"> -<a name="id2981694"></a><a name="id2981696"></a><b>Q:</b> +<a name="id2961848"></a><a name="id2961850"></a><b>Q:</b> </td> <td align="left" valign="top"><p> How does SELinux affect third-party applications?
