https://bugzilla.redhat.com/show_bug.cgi?id=1180142 Bug ID: 1180142 Summary: issues in the introduction of selinux-user-guide Product: Fedora Documentation Version: devel Component: selinux-user-guide Assignee: mprpic(a)redhat.com Reporter: nmavrogi(a)redhat.com QA Contact: docs-qa(a)lists.fedoraproject.org CC: mprpic(a)redhat.com, pkennedy(a)redhat.com, zach(a)oglesby.co [Originally sent to authors of the document] I was trying to understand selinux using that guide, and had quite some issues in the introduction. I send you my issues in the hope they will help to improve the text. ------------------------------------------------------------- Chapter 2. Introduction to SELinux: I couldn't really understand what is selinux based on this section. It says it is mandatory access control mechanism, and then it goes into length explaining the 'Discretionary Access Control (DAC) system' used typically in Linux. That's nice if you already know what selinux is, because you can see the difference, but the opposite what I'd expect at the moment since I have no idea what selinux is. My suggestion would be to add the description I saw in https://www.imperialviolet.org/2009/07/14/selinux.html "SELinux is fundamentally about answering questions of the form “May x do y to z?” and enforcing the result (x is subject, z is object) ... The action (y) boils down to a class and a permission. Each class can have up to 32 permissions (because they are stored as a bitmask in a 32-bit int). Examples of classes are FILE, TCP_SOCKET and X_EVENT. For the FILE class, some examples of permissions are READ, WRITE, LOCK etc." At least for me that was all the information that I needed to understand what I can do with SELinux. A complete pictures may require to go into a bit more length with explaining what can be a subject, object and actions. Then mentioning about MAC and explaining it in addition to DAC will be more natural IMO. --------------------------------------------------------------------- 2.1. Benefits of running SELinux This is section vaguely defines domain. I reached "3.1. Domain Transitions" and didn't know what a domain was. Maybe add a definition of domain in 3.1 or earlier in the introduction. --------------------------------------------------------------------- Chapter 3. SELinux Contexts level: It explains that in Fedora there is a single sensitivity and multiple categories. I miss what are these categories intended to be used to? An example with two different categories would be helpful. -- You are receiving this mail because: You are the QA Contact for the bug.