web/html/docs/selinux-faq-fc5 index.php,1.4,1.5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Author: kwade

Update of /cvs/fedora/web/html/docs/selinux-faq-fc5
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15202

Modified Files:
	index.php 
Log Message:
Updates with many bug fixes; refer to the internal revision history in the HTML file for specific details.


View full diff with command:
/usr/bin/cvs -f diff  -kk -u -N -r 1.4 -r 1.5 index.php
Index: index.php
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-faq-fc5/index.php,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- index.php	7 Apr 2006 14:34:53 -0000	1.4
+++ index.php	28 Apr 2006 19:37:48 -0000	1.5
@@ -52,6 +52,18 @@
 <div><div class="revhistory"><table border="1" width="100%" summary="Revision history">
 <tr><th align="left" valign="top" colspan="3"><b>Revision History</b></th></tr>
 <tr>
+<td align="left">Revision 1.5.6</td>
+<td align="left">2006-04-28</td>
+<td align="left">CS</td>
+</tr>
+<tr><td align="left" colspan="3">
+        <p>
+          Fix for bz #18727, bz#139744, bz#144696, bz#147915, and
+          bz#190181; other fixes, including from
+          http://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions
+        </p>
+      </td></tr>
+<tr>
 <td align="left">Revision 1.5.5</td>
 <td align="left">2006-04-07</td>
 <td align="left">KW</td>
@@ -210,11 +222,11 @@
 <dt>1.1.  <a href="#faq-div-understanding-selinux">Understanding SELinux</a>
 </dt>
 <dd><dl>
-<dt>Q: <a href="#id2925009">
+<dt>Q: <a href="#id2904784">
               What is SELinux?
             </a>
 </dt>
-<dt>Q: <a href="#id2926456">
+<dt>Q: <a href="#id2905989">
               What is SELinux policy?
             </a>
 </dt>
@@ -222,15 +234,15 @@
               What is the SELinux targeted policy?
             </a>
 </dt>
-<dt>Q: <a href="#id2926712">
+<dt>Q: <a href="#id2903411">
               What programs are protected by the targeted policy?
             </a>
 </dt>
-<dt>Q: <a href="#id2939593">
+<dt>Q: <a href="#id2919193">
               What about the strict policy?  Does it even work?
             </a>
 </dt>
-<dt>Q: <a href="#id2939659">
+<dt>Q: <a href="#id2919259">
               What is the mls policy?  Who is it for?
             </a>
 </dt>
@@ -238,15 +250,15 @@
               What is the Reference Policy?
             </a>
 </dt>
-<dt>Q: <a href="#id2939752">
+<dt>Q: <a href="#id2919352">
               What are file contexts?
             </a>
 </dt>
-<dt>Q: <a href="#id2939817">
+<dt>Q: <a href="#id2919417">
               How do I view the security context of a file, user, or process?
             </a>
 </dt>
-<dt>Q: <a href="#id2939854">
+<dt>Q: <a href="#id2919454">
               What is the difference between a domain and
               a type?
             </a>
@@ -263,69 +275,82 @@
 <dt>1.2.  <a href="#faq-div-controlling-selinux">Controlling SELinux</a>
 </dt>
 <dd><dl>
-<dt>Q: <a href="#id2977994">
+<dt>Q: <a href="#id2957630">
               How do I install/not install SELinux?
             </a>
 </dt>
-<dt>Q: <a href="#id2978020">
+<dt>Q: <a href="#id2957656">
+              As an administrator, what do I need to do to configure SELinux for
+	      my system?
+            </a>
+</dt>
+<dt>Q: <a href="#qa-using-s-c-securitylevel">
+              How do I enable/disable SELinux protection on specific daemons under
+              the targeted policy?
+            </a>
+</dt>
+<dt>Q: <a href="#faq-entry-local.te">
+	      In the past I have written local.te file in policy sources for my
+	      own local customization to policy, how do I do this
+	      in Fedora Core 5?
+            </a>
+</dt>
+<dt>Q: <a href="#id2958106">
+	      I have some avc denials that I would like to allow, how do I do this?
+            </a>
+</dt>
+<dt>Q: <a href="#id2958297">
+              How can I help write policy?
+            </a>
+</dt>
+<dt>Q: <a href="#id2958611">
               How do I switch the policy I am currently using?
             </a>
 </dt>
-<dt>Q: <a href="#id2978236">
+<dt>Q: <a href="#id2958828">
               How can I back up files from an SELinux file system?
             </a>
 </dt>
-<dt>Q: <a href="#id2978336">
+<dt>Q: <a href="#id2958928">
               How can I install the strict policy by default with kickstart?
             </a>
 </dt>
-<dt>Q: <a href="#qa-using-s-c-securitylevel">
-              How do I enable/disable SELinux protection on specific daemons under
-              the targeted policy?
-            </a>
-</dt>
-<dt>Q: <a href="#id2978458">
+<dt>Q: <a href="#faq-entry-public_html">
               How do I make a user public_html directory
               work under SELinux?
             </a>
 </dt>
-<dt>Q: <a href="#id2978670">
+<dt>Q: <a href="#id2959210">
               How do I turn SELinux off at boot?
             </a>
 </dt>
-<dt>Q: <a href="#id2978730">
+<dt>Q: <a href="#id2959271">
               How do I turn enforcing on/off at boot?
             </a>
 </dt>
-<dt>Q: <a href="#id2978848">
+<dt>Q: <a href="#id2959389">
               How do I temporarily turn off enforcing mode without having to
               reboot?
             </a>
 </dt>
-<dt>Q: <a href="#id2978916">
+<dt>Q: <a href="#id2959456">
               How do I turn system call auditing on/off at boot?
             </a>
 </dt>
-<dt>Q: <a href="#id2978959">
+<dt>Q: <a href="#id2959500">
               How do I temporarily turn off system-call auditing without having
               to reboot?
             </a>
 </dt>
-<dt>Q: <a href="#id2978984">
+<dt>Q: <a href="#id2959525">
               How do I get status info about my SELinux installation?
             </a>
 </dt>
-<dt>Q: <a href="#id2979014">
+<dt>Q: <a href="#id2959555">
               How do I write policy to allow a domain to use pam_unix.so?
             </a>
 </dt>
-<dt>Q: <a href="#id2979106">
-	      In the past I have written local.te file in policy sources for my
-	      own local customization to policy, how do I do this with
-	      Reference Policy?
-            </a>
-</dt>
-<dt>Q: <a href="#id2979283">
+<dt>Q: <a href="#id2959647">
 	      I created a new Policy Package, where do I put it to make sure that
 	      it gets loaded into the kernel?
 	    </a>
@@ -334,46 +359,55 @@
 <dt>1.3.  <a href="#faq-div-resolving-problems">Resolving Problems</a>
 </dt>
 <dd><dl>
-<dt>Q: <a href="#id2979349">
+<dt>Q: <a href="#id2959713">
+              Where are SELinux AVC messages (denial logs, etc.) stored?
+            </a>
+</dt>
+<dt>Q: <a href="#id2959759">
               My application isn't working as expected and I am seeing
               avc: denied messages.  How do I
               fix this?
             </a>
[...2155 lines suppressed...]
 <tr class="question">
 <td align="left" valign="top">
-<a name="id2981102"></a><a name="id2981104"></a><b>Q:</b>
+<a name="id2961298"></a><a name="id2961301"></a><b>Q:</b>
 </td>
 <td align="left" valign="top"><p>
 	      What do these rpm errors mean?
@@ -2676,17 +3039,6 @@
 <td align="left" valign="top"><b>A:</b></td>
 <td align="left" valign="top">
 <pre class="screen">
-<code class="computeroutput">genhomedircon:  Warning!  No support yet for expanding ROLE macros in the /etc/selinux/mls/contexts/files/homedir_template file when using libsemanage. 
-genhomedircon:  You must manually update file_contexts.homedirs for any non-user_r users (including root).</code>
-</pre>
-<p>
-	      Some of the interfaces are not complete yet for selinux. Most
-	      users should not care about this warning. It will only affect you
-	      if you are running the policy package that is reporting the
-	      problem and have non standard SELinux role/user combinations.
-	      IE You are using some custom policy.
-	    </p>
-<pre class="screen">
 <code class="computeroutput">restorecon reset /etc/modprobe.conf context system_u:object_r:etc_runtime_t-&gt;system_u:object_r:modules_conf_t
 restorecon reset /etc/cups/ppd/homehp.ppd context user_u:object_r:cupsd_etc_t-&gt;system_u:object_r:cupsd_rw_etc_t</code>
 </pre>
@@ -2707,7 +3059,7 @@
 </tr>
 <tr class="question">
 <td align="left" valign="top">
-<a name="id2981178"></a><a name="id2981180"></a><b>Q:</b>
+<a name="id2961367"></a><a name="id2961369"></a><b>Q:</b>
 </td>
 <td align="left" valign="top"><p>
 	      I want to run a daemon on a non standard port but SELinux will not
@@ -2729,7 +3081,7 @@
 </tr>
 <tr class="question">
 <td align="left" valign="top">
-<a name="id2981215"></a><a name="id2981218"></a><b>Q:</b>
+<a name="id2961404"></a><a name="id2961406"></a><b>Q:</b>
 </td>
 <td align="left" valign="top"><p>
 	      How do I add additional translations to my MCS/MLS system?
@@ -2769,7 +3121,7 @@
 </tr>
 <tr class="question">
 <td align="left" valign="top">
-<a name="id2981273"></a><a name="id2981275"></a><b>Q:</b>
+<a name="id2961461"></a><a name="id2961463"></a><b>Q:</b>
 </td>
 <td align="left" valign="top"><p>
 	      I have setup my MCS/MLS translations, now I want to designate
@@ -2803,28 +3155,41 @@
 </tr>
 <tr class="question">
 <td align="left" valign="top">
-<a name="id2981327"></a><a name="id2981329"></a><b>Q:</b>
+<a name="id2961515"></a><a name="id2961518"></a><b>Q:</b>
 </td>
 <td align="left" valign="top"><p>
-	      I am writing an php script that needs to create temporary files in
-	      <code class="filename">/tmp</code> and then execute them, SELinux policy is
-	      preventing this. What should I do?
+	      I am writing a php script that needs to create files
+	      and possibly execute them. SELinux
+	      policy is preventing this. What should I do?
 	    </p></td>
 </tr>
 <tr class="answer">
 <td align="left" valign="top"><b>A:</b></td>
-<td align="left" valign="top"><p>
-	      You should avoid having system applications writing to the
+<td align="left" valign="top">
+<p>
+	      First, you should never allow a system service to execute
+	      anything it can write. This gives an attacker the ability to
+	      upload malicious code to the server and then execute it, which
+	      is something we want to prevent.
+	    </p>
+<p>
+	      If you merely need to allow your script to create
+	      (non-executable) files, this is possible. That said,
+	      you should avoid having system applications writing to the
 	      <code class="filename">/tmp</code> directory, since users tend to use the
 	      <code class="filename">/tmp</code> directory also. It would be better to
 	      create a directory elsewhere which could be owned by the apache
 	      process and allow your script to write to it. You should label the
-	      directory <code class="computeroutput">httpd_sys_script_rw_t</code>.
-	    </p></td>
+	      directory <code class="computeroutput">httpd_sys_script_rw_t</code>,
+	      which will allow apache to read and write files to that
+	      directory. This directory could be located anywhere that apache
+	      can get to (even <code class="filename">$HOME/public_html/</code>).
+	    </p>
+</td>
 </tr>
 <tr class="question">
 <td align="left" valign="top">
-<a name="id2981373"></a><a name="id2981375"></a><b>Q:</b>
+<a name="id2961573"></a><a name="id2961575"></a><b>Q:</b>
 </td>
 <td align="left" valign="top"><p>
 	      I am setting up swapping to a file, but I am seeing AVC messages
@@ -2845,7 +3210,7 @@
 </tr>
 <tr class="question">
 <td align="left" valign="top">
-<a name="id2981410"></a><a name="id2981412"></a><b>Q:</b>
+<a name="id2961610"></a><a name="id2961612"></a><b>Q:</b>
 </td>
 <td align="left" valign="top"><p>
 	      Please explain the
@@ -2889,55 +3254,32 @@
 </ul></div>
 </td>
 </tr>
-<tr class="question">
-<td align="left" valign="top">
-<a name="id2981506"></a><a name="id2981508"></a><b>Q:</b>
-</td>
-<td align="left" valign="top"><p>
-              Where are SELinux AVC messages (denial logs, etc.) stored?
-            </p></td>
-</tr>
-<tr class="answer">
-<td align="left" valign="top"><b>A:</b></td>
-<td align="left" valign="top"><p>
-              In Fedora Core 2 and 3, SELinux AVC messages could be found in
-	      <code class="filename">/var/log/messages</code>.
-	      In Fedora Core 4, the audit daemon was added, and these messages
-	      moved to
-	      <code class="filename">/var/log/audit/audit.log</code>.
-	      In Fedora Core 5, the audit daemon is not installed by default, and
-	      consequently these messages can be found in
-	      <code class="filename">/var/log/messages</code> unless you choose to
-	      install the audit daemon, in which case AVC messages will be in
-	      <code class="filename">/var/log/audit/audit.log</code>.
-            </p></td>
-</tr>
 <tr class="qandadiv"><td align="left" valign="top" colspan="2">
 <a name="faq-div-deploying-selinux"></a><h4 class="title">
 <a name="faq-div-deploying-selinux"></a>1.4. Deploying SELinux</h4>
 </td></tr>
 <tr class="toc" colspan="2"><td align="left" valign="top" colspan="2"><dl>
-<dt>Q: <a href="#id2981560">
+<dt>Q: <a href="#id2961714">
               What file systems can I use for SELinux?
             </a>
 </dt>
-<dt>Q: <a href="#id2981594">
+<dt>Q: <a href="#id2961748">
               How does SELinux impact system performance?
             </a>
 </dt>
-<dt>Q: <a href="#id2981625">
+<dt>Q: <a href="#id2961779">
               What types of deployments, applications, and systems should I
 	      leverage SELinux in?
             </a>
 </dt>
-<dt>Q: <a href="#id2981694">
+<dt>Q: <a href="#id2961848">
               How does SELinux affect third-party applications?
             </a>
 </dt>
 </dl></td></tr>
 <tr class="question">
 <td align="left" valign="top">
-<a name="id2981560"></a><a name="id2981562"></a><b>Q:</b>
+<a name="id2961714"></a><a name="id2961717"></a><b>Q:</b>
 </td>
 <td align="left" valign="top"><p>
               What file systems can I use for SELinux?
@@ -2963,7 +3305,7 @@
 </tr>
 <tr class="question">
 <td align="left" valign="top">
-<a name="id2981594"></a><a name="id2981602"></a><b>Q:</b>
+<a name="id2961748"></a><a name="id2961756"></a><b>Q:</b>
 </td>
 <td align="left" valign="top"><p>
               How does SELinux impact system performance?
@@ -2983,7 +3325,7 @@
 </tr>
 <tr class="question">
 <td align="left" valign="top">
-<a name="id2981625"></a><a name="id2981627"></a><b>Q:</b>
+<a name="id2961779"></a><a name="id2961782"></a><b>Q:</b>
 </td>
 <td align="left" valign="top"><p>
               What types of deployments, applications, and systems should I
@@ -3023,7 +3365,7 @@
 </tr>
 <tr class="question">
 <td align="left" valign="top">
-<a name="id2981694"></a><a name="id2981696"></a><b>Q:</b>
+<a name="id2961848"></a><a name="id2961850"></a><b>Q:</b>
 </td>
 <td align="left" valign="top"><p>
               How does SELinux affect third-party applications?


[Index of Archives]     [Fedora Users]     [Linux ARM]     [ARM Kernel]     [Older Fedora Users]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux