Hi all,
The Fedora SELinux managing-confined-services guide I have been working on is nearing completion.
I would greatly appreciate any and all comments or corrections that anyone has on it.
It is available here:
http://sradvan.fedorapeople.org/SELinux_Managing_Confined_Services/en-US/
Cheers,
On Thu, 2009-04-23 at 14:25 +1000, Scott Radvan wrote:
The Fedora SELinux managing-confined-services guide I have been working on is nearing completion.
I would greatly appreciate any and all comments or corrections that anyone has on it.
Nice, thank you.
Currently i only have a few comments:
-By default, Linux users run unconfined in Fedora, which is why the testfile file is labeled with the SELinux unconfined_u user
+testfile is labeled with the SELinux unconfined_u user because a unix user that is mapped to the unconfined_u SELinux user created the file.
Maybe you can mention "semanage boolean' instead of /or besides get/setsebool.
semanage can do it as well and it might be easier for people that do not know better if a lot of this stuff is done in a centralized place.
I think dwalsh is working on getting semanage to do most of this stuff. So that one doesnt have to use 4 different utils to get something done.
semanage boolean -{d|m} [--on|--off|-1|-0] -F boolean | boolean_file
On Thu, 2009-04-23 at 14:25 +1000, Scott Radvan wrote:
I would greatly appreciate any and all comments or corrections that anyone has on it.
Small typo here:
- To resolve this labeling issue, run the restoreconv -R -v /var/named/dynamic command as the Linux root user.
+ To resolve this labeling issue, run the restorecon -R -v /var/named/dynamic command as the Linux root user.
On Thu, 2009-04-23 at 14:25 +1000, Scott Radvan wrote:
I would greatly appreciate any and all comments or corrections that anyone has on it.
I like the examples, unfortunately with regard to for example Apache you do not have an example for each boolean. That would probably be too much, but it would be the best way to shows when to use which boolean or combination of booleans.
For example we have had an issue on #fedora-selinux were httpd couldnt do some permission to httpd_sys_content_t.
setroubleshoot suggested httpd_unified, but even with that bool set to true, httpd was not able to do (i forgot which permission it was) to the file.
I suggested to the user to just label the file httpd_sys_content_rw_t and get it over with. (this worked)
However later dwalsh suggested that this wasnt just solved by httpd_unified because it required a combination of booleans to be set.
im not sure i remember correct which combination this was but i think:
httpd_enable_cgi, httpd_unified, httpd_enable_homedir
my point is that the idea of including examples is a very good idea in my view but that there arent so many examples.
On Thu, 2009-04-23 at 13:21 +0200, Dominick Grift wrote:
On Thu, 2009-04-23 at 14:25 +1000, Scott Radvan wrote:
I would greatly appreciate any and all comments or corrections that anyone has on it.
I like the examples, unfortunately with regard to for example Apache you do not have an example for each boolean. That would probably be too much, but it would be the best way to shows when to use which boolean or combination of booleans.
For example we have had an issue on #fedora-selinux were httpd couldnt do some permission to httpd_sys_content_t.
setroubleshoot suggested httpd_unified, but even with that bool set to true, httpd was not able to do (i forgot which permission it was) to the file.
I suggested to the user to just label the file httpd_sys_content_rw_t and get it over with. (this worked)
However later dwalsh suggested that this wasnt just solved by httpd_unified because it required a combination of booleans to be set.
im not sure i remember correct which combination this was but i think:
httpd_enable_cgi, httpd_unified, httpd_enable_homedir
my point is that the idea of including examples is a very good idea in my view but that there arent so many examples.
Actually the example i gave here just does not work. There is a bug in fedora Apache policy. We have had another guy with the same issue in #selinux today and httpd_unified does not work. confirmed it.
selinux@lists.fedoraproject.org