I need help understanding SELinux!
I've read just about every on-line SELinux article I can find, and I am
getting progressively more confused as I read more. Following along in
these articles on a Fedora Core 3 system, reading documents written for
Fedora Core 2 Test 3 and before, is confusing. The older the document,
the more my installation fails to match the documentation.
I need a starting place, some things to look at once I have my Fedora
Core 3 installation running. Some simple things, some that work
correctly, some that fail and I can learn how to track down and fix.
And, the answers to some basic questions:
1) Why does a Fedora Core 3 installation, with SELinux "Active" or
"Warn", not install selinux-policy-targeted-sources? I kept
pulling my hair out (little that there is) when trying to find:
/etc/selinux/targeted/src/policy
All the documents referred to this directory, and it was VERY
confusing not to find it. This directory should at least be
an empty directory after a fresh install.
2) Are the setools and setools-gui packages required to be used on a
SELinux enabled system? If so, why are they not installed when
SELinux is installed? In particular, I am very confused about how
to create new users and new groups. It looks like I need to update
our in-house instructions to use seuseradd, seuserdel, etc. instead
of useradd and userdel?
3) Where the heck is the SELinux audit file? Try as much as I could,
I can't find it. Every document references it, but none I have
found actually refer to it by path/filename.
4) I know you guys discuss policy problems all the time, from the
viewpoint of their AVC log events, but I'd like to see what one of
these AVC log events looks like on my system. In particular, I
have a Fedora Core 3 Workstation installation running the targeted
policy in enforcing mode. I'd appreciate a simple test I could
perform that would generate an AVC log entry, some idea on how to
look for the log entry, and some idea about how to analyze the log
entry. I know, blasphemy. But there are three ways that adults
learn:
1. Visual: people who learn by seeing it done.
2. Auditory: people who learn by hearing.
3. Kenesthetic: people who learn by doing (touch and body
movement).
I'm a #3.
5) Does it make sense to have a Workstation installation with the
"strict" policy? Under what circumstances?
I am putting instructions together for people in my Lab on how to
install and use Fedora Core 3. One of the early lessons I want to
document is some simple instructions on how to use SELinux. Then, as
other instructions are written for other Lab-oriented tasks, I would
integrate SELinux into these instructions. The people in the Lab are
responsible for maintaining their various computers, so knowledge about
SELinux appears necessary. If I can't understand it and explain it to
them, things are going to get messy.
Thanks for the help.
--
David Hart <dhart275(a)offramp.com>