web/html/docs/selinux-faq-fc5 index.php,1.6,1.7

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Author: kwade

Update of /cvs/fedora/web/html/docs/selinux-faq-fc5
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5536

Modified Files:
	index.php 
Log Message:
Publishing results of fixes for bz #193535 and #193540.


View full diff with command:
/usr/bin/cvs -f diff  -kk -u -N -r 1.6 -r 1.7 index.php
Index: index.php
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-faq-fc5/index.php,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- index.php	6 Jun 2006 19:28:13 -0000	1.6
+++ index.php	8 Jun 2006 22:34:21 -0000	1.7
@@ -1,20 +1,3576 @@
 <?
-include("site.inc");
 
+include("site.inc");
 $template = new Page;
-$template->initCommon();
-
+$template->initCommon(); 
 $template->displayHeader();
 
 ?>
-<h1>SELinux FAQ for Fedora Core 5</h1>
 
-<p>The SELinux FAQ, a compendium of common questions regarding SELinux in Fedora Core 5, is available in the following languages:</p>
+<div class="article" lang="en">
+<div class="titlepage">
+<div>
+<div><h1 class="title">
+<a name="selinux-faq"></a>Fedora Core 5 SELinux FAQ</h1></div>
+<div><div class="authorgroup">
+<div class="author"><h3 class="author">
+<span class="firstname">Karsten</span> <span class="surname">Wade</span>
+</h3></div>
+<div class="author"><h3 class="author">
+<span class="firstname">Chad</span> <span class="surname">Sellers</span>
+</h3></div>
+</div></div>
+<div><p class="othercredit"><span class="firstname">Francesco</span> <span class="surname">Tombolini</span></p></div>
+<div><p class="copyright">Copyright © 2004, 2005 Red Hat, Inc., Karsten Wade</p></div>
+<div><p class="copyright">Copyright © 2006 Chad Sellers, Paul W. Frields</p></div>
+<div><div class="legalnotice">
+<a name="legalnotice-opl"></a><p><a name="opl.permission"></a>
+    Permission is granted to copy, distribute, and/or modify this
+    document under the terms of the Open Publication Licence, Version
+    1.0, or any later version. The terms of the OPL are set out below.
+  </p>
+<div class="orderedlist">
+<a name="opl.terms"></a><ol type="I">
+<li>
+<a name="opl.require"></a><h2>
+<a name="id2991430"></a>REQUIREMENTS ON BOTH UNMODIFIED AND MODIFIED
+	VERSIONS</h2>
+<p>
+	Open Publication works may be reproduced and distributed in
+	whole or in part, in any medium physical or electronic, provided
+	that the terms of this license are adhered to, and that this
+	license or an incorporation of it by reference (with any options
+	elected by the author(s) and/or publisher) is displayed in the
+	reproduction.
+      </p>
+<p>
+	Proper form for an incorporation by reference is as follows:
+      </p>
+<p>
+	Copyright (c) &lt;year&gt; by &lt;author's name or designee&gt;.
+	This material may be distributed only subject to the terms and
+	conditions set forth in the Open Publication License, vX.Y or
+	later (the latest version is presently available at <a href="http://www.opencontent.org/openpub/"; target="_top">http://www.opencontent.org/openpub/</a>).
+      </p>
+<p>
+	The reference must be immediately followed with any options
+	elected by the author(s) and/or publisher of the document (see
+	section VI). Commercial redistribution of Open
+	Publication-licensed material is permitted. Any publication in
+	standard (paper) book form shall require the citation of the
+	original publisher and author. The publisher and author's names
+	shall appear on all outer surfaces of the book. On all outer
+	surfaces of the book the original publisher's name shall be as
+	large as the title of the work and cited as possessive with
+	respect to the title.
+      </p>
+</li>
+<li>
+<a name="opl.copyright"></a><h2>
+<a name="id3010536"></a>COPYRIGHT</h2>
+<p>
+	The copyright to each Open Publication is owned by its author(s)
+	or designee.
+      </p>
+</li>
+<li>
+<a name="opl.scope"></a><h2>
+<a name="id3001093"></a>SCOPE OF LICENSE</h2>
+<p>
+	The following license terms apply to all Open Publication works,
+	unless otherwise explicitly stated in the document.
+      </p>
+<p>
+	Mere aggregation of Open Publication works or a portion of an
+	Open Publication work with other works or programs on the same
+	media shall not cause this license to apply to those other
+	works. The aggregate work shall contain a notice specifying the
+	inclusion of the Open Publication material and appropriate
+	copyright notice.
+      </p>
+<p>
+	SEVERABILITY. If any part of this license is found to be
+	unenforceable in any jurisdiction, the remaining portions of the
+	license remain in force.
+      </p>
+<p>
+	NO WARRANTY. Open Publication works are licensed and provided
+	"as is" without warranty of any kind, express or implied,
+	including, but not limited to, the implied warranties of
+	merchantability and fitness for a particular purpose or a
+	warranty of non-infringement.
+      </p>
+</li>
+<li>
+<a name="opl.modified.works"></a><h2>
+<a name="id3006930"></a>REQUIREMENTS ON MODIFIED WORKS</h2>
+<p>
+	All modified versions of documents covered by this license,
+	including translations, anthologies, compilations and partial
+	documents, must meet the following requirements:
+      </p>
+<div class="orderedlist"><ol type="1">
+<li><p>
+	    The modified version must be labeled as such.
+	  </p></li>
+<li><p>
+	    The person making the modifications must be identified and
+	    the modifications dated.
+	  </p></li>
+<li><p>
+	    Acknowledgement of the original author and publisher if
+	    applicable must be retained according to normal academic
+	    citation practices.
+	  </p></li>
+<li><p>
+	    The location of the original unmodified document must be
+	    identified.
+	  </p></li>
+<li><p>
+	    The original author's (or authors') name(s) may not be used
+	    to assert or imply endorsement of the resulting document
+	    without the original author's (or authors') permission.
+	  </p></li>
+</ol></div>
+</li>
+<li>
+<a name="opl.good-practice"></a><h2>
+<a name="id2994932"></a>GOOD-PRACTICE RECOMMENDATIONS</h2>
+<p>
+	In addition to the requirements of this license, it is requested
+	from and strongly recommended of redistributors that:
+      </p>
+<div class="orderedlist"><ol type="1">
+<li><p>
+	    If you are distributing Open Publication works on hardcopy
+	    or CD-ROM, you provide email notification to the authors of
+	    your intent to redistribute at least thirty days before your
+	    manuscript or media freeze, to give the authors time to
+	    provide updated documents. This notification should describe
+	    modifications, if any, made to the document.
+	  </p></li>
+<li><p>
+	    All substantive modifications (including deletions) be
+	    either clearly marked up in the document or else described
+	    in an attachment to the document.
+	  </p></li>
+<li><p>
+	    Finally, while it is not mandatory under this license, it is
+	    considered good form to offer a free copy of any hardcopy
+	    and CD-ROM expression of an Open Publication-licensed work
+	    to its author(s).
+	  </p></li>
+</ol></div>
+</li>
+<li>
+<a name="opl.options"></a><h2>
+<a name="id3008214"></a>LICENSE OPTIONS</h2>
+<p>
+	The author(s) and/or publisher of an Open Publication-licensed
+	document may elect certain options by appending language to the
+	reference to or copy of the license. These options are
+	considered part of the license instance and must be included
+	with the license (or its incorporation by reference) in derived
+	works.
+      </p>
+<p>
+	A. To prohibit distribution of substantively modified versions
+	without the explicit permission of the author(s). "Substantive
+	modification" is defined as a change to the semantic content of
+	the document, and excludes mere changes in format or
+	typographical corrections.
+      </p>
+<p>
+	To accomplish this, add the phrase 'Distribution of
+	substantively modified versions of this document is prohibited
+	without the explicit permission of the copyright holder.' to the
[...3191 lines suppressed...]
+<p>
+	      For files, <code class="computeroutput">relabelfrom</code> means "Can
+	      domain D relabel a file from (i.e. currently in) type T1?" and
+	      <code class="computeroutput">relabelto</code> means "Can domain D
+	      relabel a file to type T2?", so both checks are applied upon a
+	      file relabeling, where T1 is the original type of the type and T2
+	      is the new type specified by the program.
+	    </p>
+<p>
+	      Useful documents to look at: 
+	    </p>
+<div class="itemizedlist"><ul type="disc">
+<li><p>
+	          Object class and permission summary by Tresys <a href="http://tresys.com/selinux/obj_perms_help.shtml"; target="_top">http://tresys.com/selinux/obj_perms_help.shtml</a>
+	        </p></li>
+<li><p>
+	          Implementing SELinux as an LSM technical report (describes
+	          permission checks on a per-hook basis) <a href="http://www.nsa.gov/selinux/papers/module-abs.cfm"; target="_top">http://www.nsa.gov/selinux/papers/module-abs.cfm</a>.
+		  This is also available in the selinux-doc package
+		  (and more up-to-date there).
+	        </p></li>
+<li><p>
+		  Integrating Flexible Support for Security Policies into the
+		  Linux Operating System - technical report (describes original
+		  design and implementation, including summary tables of
+		  classes, permissions, and what permission checks are applied
+		  to what system calls. It is not entirely up-to-date with
+		  current implementation, but a good resource nonetheless).
+		  <a href="http://www.nsa.gov/selinux/papers/slinux-abs.cfm"; target="_top">http://www.nsa.gov/selinux/papers/slinux-abs.cfm</a>
+		</p></li>
+</ul></div>
+</td>
+</tr>
+<tr class="qandadiv"><td align="left" valign="top" colspan="2">
+<a name="faq-div-deploying-selinux"></a><h4 class="title">
+<a name="faq-div-deploying-selinux"></a>1.4. Deploying SELinux</h4>
+</td></tr>
+<tr class="toc" colspan="2"><td align="left" valign="top" colspan="2"><dl>
+<dt>Q: <a href="#id2964994">
+              What file systems can I use for SELinux?
+            </a>
+</dt>
+<dt>Q: <a href="#id2965028">
+              How does SELinux impact system performance?
+            </a>
+</dt>
+<dt>Q: <a href="#id2965059">
+              What types of deployments, applications, and systems should I
+	      leverage SELinux in?
+            </a>
+</dt>
+<dt>Q: <a href="#id2965128">
+              How does SELinux affect third-party applications?
+            </a>
+</dt>
+</dl></td></tr>
+<tr class="question">
+<td align="left" valign="top">
+<a name="id2964994"></a><a name="id2964996"></a><b>Q:</b>
+</td>
+<td align="left" valign="top"><p>
+              What file systems can I use for SELinux?
+            </p></td>
+</tr>
+<tr class="answer">
+<td align="left" valign="top"><b>A:</b></td>
+<td align="left" valign="top">
+<p>
+              The file system must support
+              <code class="computeroutput">xattr</code> labels in the right
+              <em class="parameter"><code>security.*</code></em> namespace.  In addition to
+              ext2/ext3, XFS has recently added support for the necessary
+              labels.
+            </p>
+<p>
+	      Note that XFS SELinux support is broken in upstream kernel
+	      2.6.14 and 2.6.15, but fixed (worked around)
+	      in 2.6.16.  Your kernel must include this fix if
+	      you choose to use XFS with SELinux.
+	    </p>
+</td>
+</tr>
+<tr class="question">
+<td align="left" valign="top">
+<a name="id2965028"></a><a name="id2965035"></a><b>Q:</b>
+</td>
+<td align="left" valign="top"><p>
+              How does SELinux impact system performance?
+            </p></td>
+</tr>
+<tr class="answer">
+<td align="left" valign="top"><b>A:</b></td>
+<td align="left" valign="top"><p>
+              This is a variable that is hard to measure, and is heavily
+	      dependent on the tuning and usage of the system running SELinux.
+	      When performance was last measured, the impact was around 7% for
+	      completely untuned code.  Subsequent changes in system components
+	      such as networking are likely to have made that worse in some
+	      cases.  SELinux performance tuning continues to be a priority of the
+	      development team.
+            </p></td>
+</tr>
+<tr class="question">
+<td align="left" valign="top">
+<a name="id2965059"></a><a name="id2965061"></a><b>Q:</b>
+</td>
+<td align="left" valign="top"><p>
+              What types of deployments, applications, and systems should I
+	      leverage SELinux in?
+            </p></td>
+</tr>
+<tr class="answer">
+<td align="left" valign="top"><b>A:</b></td>
+<td align="left" valign="top">
+<p>
+              Initially, SELinux has been used on Internet facing servers that are
+	      performing a few specialized functions, where it is critical to
+	      keep extremely tight security.  Administrators typically strip
+	      such a box of all extra software and services, and run a very
+	      small, focused set of services.  A Web server or mail server is a
+	      good example.
+            </p>
+<p>
+              In these edge servers, you can lock down the policy very tightly.
+	      The smaller number of interactions with other components makes
+	      such a lock down easier.  A dedicated system running a specialized
+	      third-party application would also be a good candidate.
+            </p>
+<p>
+              In the future, SELinux will be targeted at all environments. In
+	      order to achieve this goal, the community and
+	      <em class="firstterm">independent software vendors</em>
+	      (<span class="abbrev">ISV</span>s) must work with the SELinux developers to
+	      produce the necessary policy. So far, a very restrictive
+	      <em class="firstterm">strict policy</em> has been written, as well as
+	      a <em class="firstterm">targeted policy</em> that focuses on specific,
+	      vulnerable daemons.
+            </p>
+<p>For more information about these policies, refer to <a href="#qa-whatis-policy">What is SELinux policy?</a> and <a href="#qa-whatis-targeted-policy">What is the    SELinux targeted policy?</a>.
+	    </p>
+</td>
+</tr>
+<tr class="question">
+<td align="left" valign="top">
+<a name="id2965128"></a><a name="id2965130"></a><b>Q:</b>
+</td>
+<td align="left" valign="top"><p>
+              How does SELinux affect third-party applications?
+            </p></td>
+</tr>
+<tr class="answer">
+<td align="left" valign="top"><b>A:</b></td>
+<td align="left" valign="top">
+<p>
+              One goal of implementing a targeted SELinux policy in Fedora Core is to
+	      allow third-party applications to work without modification.  The
+	      targeted policy is transparent to those unaddressed applications,
+	      and it falls back on standard Linux DAC security.  These
+	      applications, however, will not be running in an extra-secure
+	      manner. You or another provider must write policy to protect these
+	      applications with MAC security.
+            </p>
+<p>
+              It is impossible to predict how every third-party application
+	      might behave with SELinux, even running the targeted policy.  You
+	      may be able to fix issues that arise by changing the policy.  You
+	      may find that SELinux exposes previously unknown security issues
+	      with your application.  You may have to modify the  application to
+	      work under SELinux.
+            </p>
+<p>
+              Note that with the addition of <a href="#faq-entry-whatare-policy-modules">Policy Modules</a>, it is now possible
+	      for third-party developers to include policy modules with their
+	      application. If you are a third-party developer or a
+	      package-maintainer, please consider including a policy module
+	      in your package. This will allow you to secure the behavior
+	      of your application with the power of SELinux for any user
+	      installing your package.
+           </p>
+<p>
+              One important value that Fedora Core testers and users bring to the
+	      community is extensive testing of third-party applications. With
+	      that in mind, please bring your experiences to the appropriate
+	      mailing list, such as the fedora-selinux list, for discussion. For
+	      more information about that list, refer to <a href="http://www.redhat.com/mailman/listinfo/fedora-selinux-list/"; target="_top">http://www.redhat.com/mailman/listinfo/fedora-selinux-list/</a>.
+            </p>
+</td>
+</tr>
+</tbody>
+</table>
+</div>
+</div>
+</div>
 
 <?
 
 $template->displayFooter('$Date$');
 
 ?>
+


[Index of Archives]     [Fedora Users]     [Linux ARM]     [ARM Kernel]     [Older Fedora Users]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Announce]     [Fedora Package Review]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Coolkey]     [Yum Users]     [Yosemite News]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]

  Powered by Linux