Hi, I upgraded to FC3 this weekend. I always try and go with the defaults on a new install, because when fielding bug reports for my various projects I prefer to make the defaults work first so bug reporters and I have a common ground to work with. Since the default SELINUX policy is "targeted" I chose this, bracing myself :) My first task was getting all my locally hosted websites to run. I have a few virtualhosts in my /home/thomas/www directory. When starting apache, the service script complains about these directories missing. Please note that I have a separate /home partition on hda6; I don't know if this affects any policy (yet). The system log file shows things like: audit(1100000312.370:0): avc: denied { search } for pid=12350 exe=/usr/sbin/httpd name=thomas dev=hda6 ino=557094 scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t tclass=dir I read through a few howto's, including http://fedora.redhat.com/docs/selinux-faq-fc3/index.html (which has all of its internal links broken, can somebody please fix this, it's quite annoying !) and the writing policy howto mentioned herein: https://sourceforge.net/docman/display_doc.php? docid=21959&group_id=21266 The latter has a paragraph about where policy is stored, and mentions Makefiles and other stuff in /etc/selinux. None of this is present on my FC3 system, so I'm assuming here that Red Hat has changed some things from the default SELinux which obliviate this step, but I have way of finding out how. Am I missing something ? Maybe there's a package I need to install ? I decided to learn about SELinux through the equivalent of poking at it with a large stick. I started adding some policy to /etc/selinux/targeted/contexts/files/file_contexts, adding a line reading: /home/thomas/www system_u:object_r:httpd_sys_content_t The former howto tells me I can run /sbin/fixfiles relabel /home/thomas/www but that command just gives me this: Usage: /sbin/fixfiles {-R rpmpackage[,rpmpackage...] [-l logfile ] [-o outputfile ] |check|restore|[-F] relabel} It would seem to me that what I issued was correct, both from the howto as well as the usage output. Clearly I'm missing something else here. So I tried this: restorecon -v -R /home/thomas/www and that did something. How do these two tools differ ? Why does the first not work as advertised. Using ls -alz /home/thomas I seem to get the impression this security context has been adopted. Still, apache refuses to see the directory. So I read some more of the howto. There's a binary called audit2allow that could help me generate rules. So I run it, restart apache a few times, but the binary doesn't print anything, not even with -v. Maybe I'm using it wrong, but there's no way of finding out if I am. At this point, I'm pretty much stuck. So if any kind soul wants to throw me a bone, please do. There are some things I find troubling and would want to offer suggestions for. - I am a fairly typical developer. I'd like to understand my system and to do so I read documentation, look at examples and try it out. Yet the barrier to entry to selinux is pretty high, which seems bad for something Red Hat wants to be finely integrated into the distribution. Maybe it would be a good idea to write a simple "getting started" guide explaining how to do two or three common tasks (I'd say "serving web pages from a nonstandard directory" would be one of them), making sure that EVERY STEP works. Right now the howto contains things that do not work as advertised, and links to docs that reference stuff that is not present, without a mention close by where to get it. - A lot of developers I know, including a bunch at Red Hat, *turn off SELINUX entirely*. IMO, something that gets pushed at heavily as this should be dogfooded by the development team at Red Hat completely, so they encounter firsthand what it means and how to fix basic issues. Knowledge spreads through increasingly growing circles starting from the center. If all RH developers, who have "easy" access to the SELINUX people at Red Hat, were to use it, they'd have basic knowledge about it. When the next circle of developers - outside of redhat, but having links to inside - gets hit, they do the same. And so on. It looks to me like the first circle is already completely broken, hence halting the dissemination of information and increasing the annoyance level outside of Red Hat. It won't be long before sysadmins and users ignore the default and turn it off entirely. - The documentation is not easy to find, out of date, and doesn't match the system. IMO, if FC3 gets released, the howto for something as basic as SELINUX should be uptodate and easy to find. As it is today: - http://fedora.redhat.com has one link to SELinux, which links to a project page that seems to be from before FC2 (!) and has no mention of documentation - The "docs" link below that links to the docs as a project, not to docs. Maybe not that bad, but confusing. - The docs link on the left links to docs, where SELINUX is listed, and the link mentions that it is for FC3 test 2 - When you click it, the docs say it is for test *3* - all internal links in that doc are broken - some commands in that doc do not work: fixfiles, audit2allow - the document is more of a FAQ than a Howto, a simple "getting started" would help a lot. I understand that FC3 is relatively fresh and that not everything can be in place from the start. I just want to get a good picture of where SELINUX is at and how to solve issues, so that I can try to fix stuff myself, and explain to other people. Otherwise I'll just have to turn off SELINUX myself, and recommend the same to others when questions are asked about it. Feel free to comment, both on the particular issue at hand as well as the general issue of entry barriers to selinux. Thomas Dave/Dina : future TV today ! - http://www.davedina.org/ <-*- thomas (dot) apestaart (dot) org -*-> I will play you like a shark And I'll clutch at your heart I'll come flying like a spark To enflame you <-*- thomas (at) apestaart (dot) org -*-> URGent, best radio on the net - 24/7 ! - http://urgent.fm/