From Fedora Project Wiki
What the Documentation Covers (in no particular order, and subject to change)
From the current SELinux documentation todo list:
- "Explain how to interpret an AVC message and how to get additional information via SYSCALL audit, including how to add a simple syscall audit filter to enable collection of PATH information".
- Document Confined Users".
- "Update FC5 FAQ".
- "Document the use of the mount command for overriding file context".
- "Describe Audit2allow and how it can just Fix the machine".
- "Update and organize the Fedora SELinux FAQ".
- Basic access control concepts.
- SELinux concepts:
- Domains and Types.
- Contexts.
- Targets/Processes/Files.
- How do I find out if SELinux is enabled on my system?
- Confined and unconfined processes (
ps auxZ). - Main files:
/selinux/and/etc/selinux/config. - How to correctly disable SELinux (not sure if we want this ;) )
- Maintaining correct labels:
- View labels using
ls -Z - Copying Vs moving files.
- Using user_home_t files on other machines, such as a user moving their
~/.ssh/authorized_keysfile to another machine. - Relabeling an entire file system.
- Possible problems caused from running in permissive mode, such as having permissions to mislabel files.
- mislabeled files, relabeled but still problems,
touch /.autorelabel(Dans journal).
- View labels using
- Red Hat Enterprise Linux 5 Deployment Guide: End User Control of SELinux.
- SELinux and virtualization (relabeling images if images are not in
/etc/xen/). - Logging:
- Are SELinux denials taking up too much space? This came from #selinux.
- Amount of denials in permissive mode Vs enforcing mode.
- Searching for specific denials (from #selinux,
"/sbin/ausearch -m avc -ts today | grep search | head -n 1", "sealert -l \*"). - Where are the log files kept? (
/var/log/audit/audit.d,/var/log/messages, etc. Basic explanation of which one will be used).
- Basic interpretation of SELinux denials, and where to get help, (maybe mail <fedora-selinux-list@redhat.com>). From #selinux:
(06:19:50 PM) hatty: Hi , I get this in my log audit(1216043069.444:37): avc:
denied { search } for pid=726 comm="busybox" name="" , what is the meaning of name="" ?
"(08:58:22 PM) domg472: anyways hatty consider this: target objects can be any objects,
object arent just file object but there also other kimds of object that may not carry a
name for example ports interfaces or the ojects of subject ( process objects )"
- Controlling system daemons with booleans:
getsebool -a,setsebool -P; how to find information about booleans listed from getsebool.- Common items people want to change.
- Installing and upgrading SELinux packages.
- Upgrade problems if you start from a non-SELinux labeled file system?
- Missing SELinux users (
semanage user -l)
- Not running X :
setroubleshoot-server, runsealert -l \*, <https://www.redhat.com/archives/fedora-selinux-list/2008-July/msg00004.html>. - Confining Users
- Mounting:
- Do mount points need to be
mnt_t?
- Do mount points need to be
Commands:
getsebool -a setsebool -P sestatus -v restorecon fixfiles newrole