Author: kwade
Update of /cvs/fedora/web/html/docs/selinux-faq-fc5
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5536
Modified Files:
index.php
Log Message:
Publishing results of fixes for bz #193535 and #193540.
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.6 -r 1.7 index.php
Index: index.php
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-faq-fc5/index.php,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- index.php 6 Jun 2006 19:28:13 -0000 1.6
+++ index.php 8 Jun 2006 22:34:21 -0000 1.7
@@ -1,20 +1,3576 @@
<?
-include("site.inc");
+include("site.inc");
$template = new Page;
-$template->initCommon();
-
+$template->initCommon();
$template->displayHeader();
?>
-<h1>SELinux FAQ for Fedora Core 5</h1>
-<p>The SELinux FAQ, a compendium of common questions regarding SELinux in Fedora Core 5, is available in the following languages:</p>
+<div class="article" lang="en">
+<div class="titlepage">
+<div>
+<div><h1 class="title">
+<a name="selinux-faq"></a>Fedora Core 5 SELinux FAQ</h1></div>
+<div><div class="authorgroup">
+<div class="author"><h3 class="author">
+<span class="firstname">Karsten</span> <span class="surname">Wade</span>
+</h3></div>
+<div class="author"><h3 class="author">
+<span class="firstname">Chad</span> <span class="surname">Sellers</span>
+</h3></div>
+</div></div>
+<div><p class="othercredit"><span class="firstname">Francesco</span> <span class="surname">Tombolini</span></p></div>
+<div><p class="copyright">Copyright © 2004, 2005 Red Hat, Inc., Karsten Wade</p></div>
+<div><p class="copyright">Copyright © 2006 Chad Sellers, Paul W. Frields</p></div>
+<div><div class="legalnotice">
+<a name="legalnotice-opl"></a><p><a name="opl.permission"></a>
+ Permission is granted to copy, distribute, and/or modify this
+ document under the terms of the Open Publication Licence, Version
+ 1.0, or any later version. The terms of the OPL are set out below.
+ </p>
+<div class="orderedlist">
+<a name="opl.terms"></a><ol type="I">
+<li>
+<a name="opl.require"></a><h2>
+<a name="id2991430"></a>REQUIREMENTS ON BOTH UNMODIFIED AND MODIFIED
+ VERSIONS</h2>
+<p>
+ Open Publication works may be reproduced and distributed in
+ whole or in part, in any medium physical or electronic, provided
+ that the terms of this license are adhered to, and that this
+ license or an incorporation of it by reference (with any options
+ elected by the author(s) and/or publisher) is displayed in the
+ reproduction.
+ </p>
+<p>
+ Proper form for an incorporation by reference is as follows:
+ </p>
+<p>
+ Copyright (c) <year> by <author's name or designee>.
+ This material may be distributed only subject to the terms and
+ conditions set forth in the Open Publication License, vX.Y or
+ later (the latest version is presently available at <a href="http://www.opencontent.org/openpub/"; target="_top">http://www.opencontent.org/openpub/</a>).
+ </p>
+<p>
+ The reference must be immediately followed with any options
+ elected by the author(s) and/or publisher of the document (see
+ section VI). Commercial redistribution of Open
+ Publication-licensed material is permitted. Any publication in
+ standard (paper) book form shall require the citation of the
+ original publisher and author. The publisher and author's names
+ shall appear on all outer surfaces of the book. On all outer
+ surfaces of the book the original publisher's name shall be as
+ large as the title of the work and cited as possessive with
+ respect to the title.
+ </p>
+</li>
+<li>
+<a name="opl.copyright"></a><h2>
+<a name="id3010536"></a>COPYRIGHT</h2>
+<p>
+ The copyright to each Open Publication is owned by its author(s)
+ or designee.
+ </p>
+</li>
+<li>
+<a name="opl.scope"></a><h2>
+<a name="id3001093"></a>SCOPE OF LICENSE</h2>
+<p>
+ The following license terms apply to all Open Publication works,
+ unless otherwise explicitly stated in the document.
+ </p>
+<p>
+ Mere aggregation of Open Publication works or a portion of an
+ Open Publication work with other works or programs on the same
+ media shall not cause this license to apply to those other
+ works. The aggregate work shall contain a notice specifying the
+ inclusion of the Open Publication material and appropriate
+ copyright notice.
+ </p>
+<p>
+ SEVERABILITY. If any part of this license is found to be
+ unenforceable in any jurisdiction, the remaining portions of the
+ license remain in force.
+ </p>
+<p>
+ NO WARRANTY. Open Publication works are licensed and provided
+ "as is" without warranty of any kind, express or implied,
+ including, but not limited to, the implied warranties of
+ merchantability and fitness for a particular purpose or a
+ warranty of non-infringement.
+ </p>
+</li>
+<li>
+<a name="opl.modified.works"></a><h2>
+<a name="id3006930"></a>REQUIREMENTS ON MODIFIED WORKS</h2>
+<p>
+ All modified versions of documents covered by this license,
+ including translations, anthologies, compilations and partial
+ documents, must meet the following requirements:
+ </p>
+<div class="orderedlist"><ol type="1">
+<li><p>
+ The modified version must be labeled as such.
+ </p></li>
+<li><p>
+ The person making the modifications must be identified and
+ the modifications dated.
+ </p></li>
+<li><p>
+ Acknowledgement of the original author and publisher if
+ applicable must be retained according to normal academic
+ citation practices.
+ </p></li>
+<li><p>
+ The location of the original unmodified document must be
+ identified.
+ </p></li>
+<li><p>
+ The original author's (or authors') name(s) may not be used
+ to assert or imply endorsement of the resulting document
+ without the original author's (or authors') permission.
+ </p></li>
+</ol></div>
+</li>
+<li>
+<a name="opl.good-practice"></a><h2>
+<a name="id2994932"></a>GOOD-PRACTICE RECOMMENDATIONS</h2>
+<p>
+ In addition to the requirements of this license, it is requested
+ from and strongly recommended of redistributors that:
+ </p>
+<div class="orderedlist"><ol type="1">
+<li><p>
+ If you are distributing Open Publication works on hardcopy
+ or CD-ROM, you provide email notification to the authors of
+ your intent to redistribute at least thirty days before your
+ manuscript or media freeze, to give the authors time to
+ provide updated documents. This notification should describe
+ modifications, if any, made to the document.
+ </p></li>
+<li><p>
+ All substantive modifications (including deletions) be
+ either clearly marked up in the document or else described
+ in an attachment to the document.
+ </p></li>
+<li><p>
+ Finally, while it is not mandatory under this license, it is
+ considered good form to offer a free copy of any hardcopy
+ and CD-ROM expression of an Open Publication-licensed work
+ to its author(s).
+ </p></li>
+</ol></div>
+</li>
+<li>
+<a name="opl.options"></a><h2>
+<a name="id3008214"></a>LICENSE OPTIONS</h2>
+<p>
+ The author(s) and/or publisher of an Open Publication-licensed
+ document may elect certain options by appending language to the
+ reference to or copy of the license. These options are
+ considered part of the license instance and must be included
+ with the license (or its incorporation by reference) in derived
+ works.
+ </p>
+<p>
+ A. To prohibit distribution of substantively modified versions
+ without the explicit permission of the author(s). "Substantive
+ modification" is defined as a change to the semantic content of
+ the document, and excludes mere changes in format or
+ typographical corrections.
+ </p>
+<p>
+ To accomplish this, add the phrase 'Distribution of
+ substantively modified versions of this document is prohibited
+ without the explicit permission of the copyright holder.' to the
[...3191 lines suppressed...]
+<p>
+ For files, <code class="computeroutput">relabelfrom</code> means "Can
+ domain D relabel a file from (i.e. currently in) type T1?" and
+ <code class="computeroutput">relabelto</code> means "Can domain D
+ relabel a file to type T2?", so both checks are applied upon a
+ file relabeling, where T1 is the original type of the type and T2
+ is the new type specified by the program.
+ </p>
+<p>
+ Useful documents to look at:
+ </p>
+<div class="itemizedlist"><ul type="disc">
+<li><p>
+ Object class and permission summary by Tresys <a href="http://tresys.com/selinux/obj_perms_help.shtml"; target="_top">http://tresys.com/selinux/obj_perms_help.shtml</a>
+ </p></li>
+<li><p>
+ Implementing SELinux as an LSM technical report (describes
+ permission checks on a per-hook basis) <a href="http://www.nsa.gov/selinux/papers/module-abs.cfm"; target="_top">http://www.nsa.gov/selinux/papers/module-abs.cfm</a>.
+ This is also available in the selinux-doc package
+ (and more up-to-date there).
+ </p></li>
+<li><p>
+ Integrating Flexible Support for Security Policies into the
+ Linux Operating System - technical report (describes original
+ design and implementation, including summary tables of
+ classes, permissions, and what permission checks are applied
+ to what system calls. It is not entirely up-to-date with
+ current implementation, but a good resource nonetheless).
+ <a href="http://www.nsa.gov/selinux/papers/slinux-abs.cfm"; target="_top">http://www.nsa.gov/selinux/papers/slinux-abs.cfm</a>
+ </p></li>
+</ul></div>
+</td>
+</tr>
+<tr class="qandadiv"><td align="left" valign="top" colspan="2">
+<a name="faq-div-deploying-selinux"></a><h4 class="title">
+<a name="faq-div-deploying-selinux"></a>1.4. Deploying SELinux</h4>
+</td></tr>
+<tr class="toc" colspan="2"><td align="left" valign="top" colspan="2"><dl>
+<dt>Q: <a href="#id2964994">
+ What file systems can I use for SELinux?
+ </a>
+</dt>
+<dt>Q: <a href="#id2965028">
+ How does SELinux impact system performance?
+ </a>
+</dt>
+<dt>Q: <a href="#id2965059">
+ What types of deployments, applications, and systems should I
+ leverage SELinux in?
+ </a>
+</dt>
+<dt>Q: <a href="#id2965128">
+ How does SELinux affect third-party applications?
+ </a>
+</dt>
+</dl></td></tr>
+<tr class="question">
+<td align="left" valign="top">
+<a name="id2964994"></a><a name="id2964996"></a><b>Q:</b>
+</td>
+<td align="left" valign="top"><p>
+ What file systems can I use for SELinux?
+ </p></td>
+</tr>
+<tr class="answer">
+<td align="left" valign="top"><b>A:</b></td>
+<td align="left" valign="top">
+<p>
+ The file system must support
+ <code class="computeroutput">xattr</code> labels in the right
+ <em class="parameter"><code>security.*</code></em> namespace. In addition to
+ ext2/ext3, XFS has recently added support for the necessary
+ labels.
+ </p>
+<p>
+ Note that XFS SELinux support is broken in upstream kernel
+ 2.6.14 and 2.6.15, but fixed (worked around)
+ in 2.6.16. Your kernel must include this fix if
+ you choose to use XFS with SELinux.
+ </p>
+</td>
+</tr>
+<tr class="question">
+<td align="left" valign="top">
+<a name="id2965028"></a><a name="id2965035"></a><b>Q:</b>
+</td>
+<td align="left" valign="top"><p>
+ How does SELinux impact system performance?
+ </p></td>
+</tr>
+<tr class="answer">
+<td align="left" valign="top"><b>A:</b></td>
+<td align="left" valign="top"><p>
+ This is a variable that is hard to measure, and is heavily
+ dependent on the tuning and usage of the system running SELinux.
+ When performance was last measured, the impact was around 7% for
+ completely untuned code. Subsequent changes in system components
+ such as networking are likely to have made that worse in some
+ cases. SELinux performance tuning continues to be a priority of the
+ development team.
+ </p></td>
+</tr>
+<tr class="question">
+<td align="left" valign="top">
+<a name="id2965059"></a><a name="id2965061"></a><b>Q:</b>
+</td>
+<td align="left" valign="top"><p>
+ What types of deployments, applications, and systems should I
+ leverage SELinux in?
+ </p></td>
+</tr>
+<tr class="answer">
+<td align="left" valign="top"><b>A:</b></td>
+<td align="left" valign="top">
+<p>
+ Initially, SELinux has been used on Internet facing servers that are
+ performing a few specialized functions, where it is critical to
+ keep extremely tight security. Administrators typically strip
+ such a box of all extra software and services, and run a very
+ small, focused set of services. A Web server or mail server is a
+ good example.
+ </p>
+<p>
+ In these edge servers, you can lock down the policy very tightly.
+ The smaller number of interactions with other components makes
+ such a lock down easier. A dedicated system running a specialized
+ third-party application would also be a good candidate.
+ </p>
+<p>
+ In the future, SELinux will be targeted at all environments. In
+ order to achieve this goal, the community and
+ <em class="firstterm">independent software vendors</em>
+ (<span class="abbrev">ISV</span>s) must work with the SELinux developers to
+ produce the necessary policy. So far, a very restrictive
+ <em class="firstterm">strict policy</em> has been written, as well as
+ a <em class="firstterm">targeted policy</em> that focuses on specific,
+ vulnerable daemons.
+ </p>
+<p>For more information about these policies, refer to <a href="#qa-whatis-policy">What is SELinux policy?</a> and <a href="#qa-whatis-targeted-policy">What is the SELinux targeted policy?</a>.
+ </p>
+</td>
+</tr>
+<tr class="question">
+<td align="left" valign="top">
+<a name="id2965128"></a><a name="id2965130"></a><b>Q:</b>
+</td>
+<td align="left" valign="top"><p>
+ How does SELinux affect third-party applications?
+ </p></td>
+</tr>
+<tr class="answer">
+<td align="left" valign="top"><b>A:</b></td>
+<td align="left" valign="top">
+<p>
+ One goal of implementing a targeted SELinux policy in Fedora Core is to
+ allow third-party applications to work without modification. The
+ targeted policy is transparent to those unaddressed applications,
+ and it falls back on standard Linux DAC security. These
+ applications, however, will not be running in an extra-secure
+ manner. You or another provider must write policy to protect these
+ applications with MAC security.
+ </p>
+<p>
+ It is impossible to predict how every third-party application
+ might behave with SELinux, even running the targeted policy. You
+ may be able to fix issues that arise by changing the policy. You
+ may find that SELinux exposes previously unknown security issues
+ with your application. You may have to modify the application to
+ work under SELinux.
+ </p>
+<p>
+ Note that with the addition of <a href="#faq-entry-whatare-policy-modules">Policy Modules</a>, it is now possible
+ for third-party developers to include policy modules with their
+ application. If you are a third-party developer or a
+ package-maintainer, please consider including a policy module
+ in your package. This will allow you to secure the behavior
+ of your application with the power of SELinux for any user
+ installing your package.
+ </p>
+<p>
+ One important value that Fedora Core testers and users bring to the
+ community is extensive testing of third-party applications. With
+ that in mind, please bring your experiences to the appropriate
+ mailing list, such as the fedora-selinux list, for discussion. For
+ more information about that list, refer to <a href="http://www.redhat.com/mailman/listinfo/fedora-selinux-list/"; target="_top">http://www.redhat.com/mailman/listinfo/fedora-selinux-list/</a>.
+ </p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
+</div>
<?
$template->displayFooter('$Date$');
?>
+
