Author: kwade
Update of /cvs/fedora/web/html/docs/selinux-faq-fc5
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv15202
Modified Files:
index.php
Log Message:
Updates with many bug fixes; refer to the internal revision history in the HTML file for
specific details.
View full diff with command:
/usr/bin/cvs -f diff -kk -u -N -r 1.4 -r 1.5 index.php
Index: index.php
===================================================================
RCS file: /cvs/fedora/web/html/docs/selinux-faq-fc5/index.php,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- index.php 7 Apr 2006 14:34:53 -0000 1.4
+++ index.php 28 Apr 2006 19:37:48 -0000 1.5
@@ -52,6 +52,18 @@
<div><div class="revhistory"><table border="1"
width="100%" summary="Revision history">
<tr><th align="left" valign="top"
colspan="3"><b>Revision History</b></th></tr>
<tr>
+<td align="left">Revision 1.5.6</td>
+<td align="left">2006-04-28</td>
+<td align="left">CS</td>
+</tr>
+<tr><td align="left" colspan="3">
+ <p>
+ Fix for bz #18727, bz#139744, bz#144696, bz#147915, and
+ bz#190181; other fixes, including from
+
http://fedoraproject.org/wiki/SELinux/FAQ/ProposedAdditions
+ </p>
+ </td></tr>
+<tr>
<td align="left">Revision 1.5.5</td>
<td align="left">2006-04-07</td>
<td align="left">KW</td>
@@ -210,11 +222,11 @@
<dt>1.1. <a href="#faq-div-understanding-selinux">Understanding
SELinux</a>
</dt>
<dd><dl>
-<dt>Q: <a href="#id2925009">
+<dt>Q: <a href="#id2904784">
What is SELinux?
</a>
</dt>
-<dt>Q: <a href="#id2926456">
+<dt>Q: <a href="#id2905989">
What is SELinux policy?
</a>
</dt>
@@ -222,15 +234,15 @@
What is the SELinux targeted policy?
</a>
</dt>
-<dt>Q: <a href="#id2926712">
+<dt>Q: <a href="#id2903411">
What programs are protected by the targeted policy?
</a>
</dt>
-<dt>Q: <a href="#id2939593">
+<dt>Q: <a href="#id2919193">
What about the strict policy? Does it even work?
</a>
</dt>
-<dt>Q: <a href="#id2939659">
+<dt>Q: <a href="#id2919259">
What is the mls policy? Who is it for?
</a>
</dt>
@@ -238,15 +250,15 @@
What is the Reference Policy?
</a>
</dt>
-<dt>Q: <a href="#id2939752">
+<dt>Q: <a href="#id2919352">
What are file contexts?
</a>
</dt>
-<dt>Q: <a href="#id2939817">
+<dt>Q: <a href="#id2919417">
How do I view the security context of a file, user, or process?
</a>
</dt>
-<dt>Q: <a href="#id2939854">
+<dt>Q: <a href="#id2919454">
What is the difference between a domain and
a type?
</a>
@@ -263,69 +275,82 @@
<dt>1.2. <a href="#faq-div-controlling-selinux">Controlling
SELinux</a>
</dt>
<dd><dl>
-<dt>Q: <a href="#id2977994">
+<dt>Q: <a href="#id2957630">
How do I install/not install SELinux?
</a>
</dt>
-<dt>Q: <a href="#id2978020">
+<dt>Q: <a href="#id2957656">
+ As an administrator, what do I need to do to configure SELinux for
+ my system?
+ </a>
+</dt>
+<dt>Q: <a href="#qa-using-s-c-securitylevel">
+ How do I enable/disable SELinux protection on specific daemons under
+ the targeted policy?
+ </a>
+</dt>
+<dt>Q: <a href="#faq-entry-local.te">
+ In the past I have written local.te file in policy sources for my
+ own local customization to policy, how do I do this
+ in Fedora Core 5?
+ </a>
+</dt>
+<dt>Q: <a href="#id2958106">
+ I have some avc denials that I would like to allow, how do I do this?
+ </a>
+</dt>
+<dt>Q: <a href="#id2958297">
+ How can I help write policy?
+ </a>
+</dt>
+<dt>Q: <a href="#id2958611">
How do I switch the policy I am currently using?
</a>
</dt>
-<dt>Q: <a href="#id2978236">
+<dt>Q: <a href="#id2958828">
How can I back up files from an SELinux file system?
</a>
</dt>
-<dt>Q: <a href="#id2978336">
+<dt>Q: <a href="#id2958928">
How can I install the strict policy by default with kickstart?
</a>
</dt>
-<dt>Q: <a href="#qa-using-s-c-securitylevel">
- How do I enable/disable SELinux protection on specific daemons under
- the targeted policy?
- </a>
-</dt>
-<dt>Q: <a href="#id2978458">
+<dt>Q: <a href="#faq-entry-public_html">
How do I make a user public_html directory
work under SELinux?
</a>
</dt>
-<dt>Q: <a href="#id2978670">
+<dt>Q: <a href="#id2959210">
How do I turn SELinux off at boot?
</a>
</dt>
-<dt>Q: <a href="#id2978730">
+<dt>Q: <a href="#id2959271">
How do I turn enforcing on/off at boot?
</a>
</dt>
-<dt>Q: <a href="#id2978848">
+<dt>Q: <a href="#id2959389">
How do I temporarily turn off enforcing mode without having to
reboot?
</a>
</dt>
-<dt>Q: <a href="#id2978916">
+<dt>Q: <a href="#id2959456">
How do I turn system call auditing on/off at boot?
</a>
</dt>
-<dt>Q: <a href="#id2978959">
+<dt>Q: <a href="#id2959500">
How do I temporarily turn off system-call auditing without having
to reboot?
</a>
</dt>
-<dt>Q: <a href="#id2978984">
+<dt>Q: <a href="#id2959525">
How do I get status info about my SELinux installation?
</a>
</dt>
-<dt>Q: <a href="#id2979014">
+<dt>Q: <a href="#id2959555">
How do I write policy to allow a domain to use pam_unix.so?
</a>
</dt>
-<dt>Q: <a href="#id2979106">
- In the past I have written local.te file in policy sources for my
- own local customization to policy, how do I do this with
- Reference Policy?
- </a>
-</dt>
-<dt>Q: <a href="#id2979283">
+<dt>Q: <a href="#id2959647">
I created a new Policy Package, where do I put it to make sure that
it gets loaded into the kernel?
</a>
@@ -334,46 +359,55 @@
<dt>1.3. <a href="#faq-div-resolving-problems">Resolving
Problems</a>
</dt>
<dd><dl>
-<dt>Q: <a href="#id2979349">
+<dt>Q: <a href="#id2959713">
+ Where are SELinux AVC messages (denial logs, etc.) stored?
+ </a>
+</dt>
+<dt>Q: <a href="#id2959759">
My application isn't working as expected and I am seeing
avc: denied messages. How do I
fix this?
</a>
[...2155 lines suppressed...]
<tr class="question">
<td align="left" valign="top">
-<a name="id2981102"></a><a
name="id2981104"></a><b>Q:</b>
+<a name="id2961298"></a><a
name="id2961301"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
What do these rpm errors mean?
@@ -2676,17 +3039,6 @@
<td align="left" valign="top"><b>A:</b></td>
<td align="left" valign="top">
<pre class="screen">
-<code class="computeroutput">genhomedircon: Warning! No support yet for
expanding ROLE macros in the /etc/selinux/mls/contexts/files/homedir_template file when
using libsemanage.
-genhomedircon: You must manually update file_contexts.homedirs for any non-user_r users
(including root).</code>
-</pre>
-<p>
- Some of the interfaces are not complete yet for selinux. Most
- users should not care about this warning. It will only affect you
- if you are running the policy package that is reporting the
- problem and have non standard SELinux role/user combinations.
- IE You are using some custom policy.
- </p>
-<pre class="screen">
<code class="computeroutput">restorecon reset /etc/modprobe.conf context
system_u:object_r:etc_runtime_t->system_u:object_r:modules_conf_t
restorecon reset /etc/cups/ppd/homehp.ppd context
user_u:object_r:cupsd_etc_t->system_u:object_r:cupsd_rw_etc_t</code>
</pre>
@@ -2707,7 +3059,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2981178"></a><a
name="id2981180"></a><b>Q:</b>
+<a name="id2961367"></a><a
name="id2961369"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
I want to run a daemon on a non standard port but SELinux will not
@@ -2729,7 +3081,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2981215"></a><a
name="id2981218"></a><b>Q:</b>
+<a name="id2961404"></a><a
name="id2961406"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How do I add additional translations to my MCS/MLS system?
@@ -2769,7 +3121,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2981273"></a><a
name="id2981275"></a><b>Q:</b>
+<a name="id2961461"></a><a
name="id2961463"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
I have setup my MCS/MLS translations, now I want to designate
@@ -2803,28 +3155,41 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2981327"></a><a
name="id2981329"></a><b>Q:</b>
+<a name="id2961515"></a><a
name="id2961518"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
- I am writing an php script that needs to create temporary files in
- <code class="filename">/tmp</code> and then execute them,
SELinux policy is
- preventing this. What should I do?
+ I am writing a php script that needs to create files
+ and possibly execute them. SELinux
+ policy is preventing this. What should I do?
</p></td>
</tr>
<tr class="answer">
<td align="left" valign="top"><b>A:</b></td>
-<td align="left" valign="top"><p>
- You should avoid having system applications writing to the
+<td align="left" valign="top">
+<p>
+ First, you should never allow a system service to execute
+ anything it can write. This gives an attacker the ability to
+ upload malicious code to the server and then execute it, which
+ is something we want to prevent.
+ </p>
+<p>
+ If you merely need to allow your script to create
+ (non-executable) files, this is possible. That said,
+ you should avoid having system applications writing to the
<code class="filename">/tmp</code> directory, since users
tend to use the
<code class="filename">/tmp</code> directory also. It would
be better to
create a directory elsewhere which could be owned by the apache
process and allow your script to write to it. You should label the
- directory <code
class="computeroutput">httpd_sys_script_rw_t</code>.
- </p></td>
+ directory <code
class="computeroutput">httpd_sys_script_rw_t</code>,
+ which will allow apache to read and write files to that
+ directory. This directory could be located anywhere that apache
+ can get to (even <code
class="filename">$HOME/public_html/</code>).
+ </p>
+</td>
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2981373"></a><a
name="id2981375"></a><b>Q:</b>
+<a name="id2961573"></a><a
name="id2961575"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
I am setting up swapping to a file, but I am seeing AVC messages
@@ -2845,7 +3210,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2981410"></a><a
name="id2981412"></a><b>Q:</b>
+<a name="id2961610"></a><a
name="id2961612"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
Please explain the
@@ -2889,55 +3254,32 @@
</ul></div>
</td>
</tr>
-<tr class="question">
-<td align="left" valign="top">
-<a name="id2981506"></a><a
name="id2981508"></a><b>Q:</b>
-</td>
-<td align="left" valign="top"><p>
- Where are SELinux AVC messages (denial logs, etc.) stored?
- </p></td>
-</tr>
-<tr class="answer">
-<td align="left" valign="top"><b>A:</b></td>
-<td align="left" valign="top"><p>
- In Fedora Core 2 and 3, SELinux AVC messages could be found in
- <code class="filename">/var/log/messages</code>.
- In Fedora Core 4, the audit daemon was added, and these messages
- moved to
- <code class="filename">/var/log/audit/audit.log</code>.
- In Fedora Core 5, the audit daemon is not installed by default, and
- consequently these messages can be found in
- <code class="filename">/var/log/messages</code> unless you
choose to
- install the audit daemon, in which case AVC messages will be in
- <code class="filename">/var/log/audit/audit.log</code>.
- </p></td>
-</tr>
<tr class="qandadiv"><td align="left" valign="top"
colspan="2">
<a name="faq-div-deploying-selinux"></a><h4
class="title">
<a name="faq-div-deploying-selinux"></a>1.4. Deploying
SELinux</h4>
</td></tr>
<tr class="toc" colspan="2"><td align="left"
valign="top" colspan="2"><dl>
-<dt>Q: <a href="#id2981560">
+<dt>Q: <a href="#id2961714">
What file systems can I use for SELinux?
</a>
</dt>
-<dt>Q: <a href="#id2981594">
+<dt>Q: <a href="#id2961748">
How does SELinux impact system performance?
</a>
</dt>
-<dt>Q: <a href="#id2981625">
+<dt>Q: <a href="#id2961779">
What types of deployments, applications, and systems should I
leverage SELinux in?
</a>
</dt>
-<dt>Q: <a href="#id2981694">
+<dt>Q: <a href="#id2961848">
How does SELinux affect third-party applications?
</a>
</dt>
</dl></td></tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2981560"></a><a
name="id2981562"></a><b>Q:</b>
+<a name="id2961714"></a><a
name="id2961717"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
What file systems can I use for SELinux?
@@ -2963,7 +3305,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2981594"></a><a
name="id2981602"></a><b>Q:</b>
+<a name="id2961748"></a><a
name="id2961756"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How does SELinux impact system performance?
@@ -2983,7 +3325,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2981625"></a><a
name="id2981627"></a><b>Q:</b>
+<a name="id2961779"></a><a
name="id2961782"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
What types of deployments, applications, and systems should I
@@ -3023,7 +3365,7 @@
</tr>
<tr class="question">
<td align="left" valign="top">
-<a name="id2981694"></a><a
name="id2981696"></a><b>Q:</b>
+<a name="id2961848"></a><a
name="id2961850"></a><b>Q:</b>
</td>
<td align="left" valign="top"><p>
How does SELinux affect third-party applications?