Bug 187276 - SELinux FAQ errors
SELinux FAQ errors
Status: CLOSED CURRENTRELEASE
Product: Fedora Documentation
Classification: Fedora
Component: selinux-faq (Show other bugs)
devel
All Linux
medium Severity medium
: ---
: ---
Assigned To: Chad Sellers
Karsten Wade
http://fedora.redhat.com/docs/selinux...
:
: 187277 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-03-29 13:27 EST by Stephen Smalley
Modified: 2007-04-18 13:40 EDT (History)
2 users (show)

See Also:
Fixed In Version: 1.5.6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-04-28 18:06:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stephen Smalley 2006-03-29 13:27:38 EST
[[ Description of change/FAQ addition.  If a change, include the original
text first, then the changed text: ]]

- Under What is SELinux policy, the path to the interface files should be
/usr/share/selinux/devel/include, not headers.

- Several paths to policy files seem truncated to just /etc/selinux/policyname,
e.g. under What is SELinux policy, you list that as the path to the binary
policy files, but they live under a policy subdirectory of that directory. 
Also, I personally find using $SELINUXTYPE to be less ambiguous there as that is
how it is defined in /etc/selinux/config.

- Under What are policy modules, there are a few issues:
1) The description seems a little confusing, as the kernel binary policy remains
monolithic and still must be replaced in total for change to take effect; what
has changed is that separable policy modules can now be built, distributed, and
linked together on end systems without requiring sources or the policy compiler
on the end systems.
2) You only mention semodule, but don't provide any pointers to the other key
commands involved in constructing and packaging modules (e.g. checkmodule,
semodule_package).  Also need to note that they need to install checkpolicy
package to have checkmodule for compiling policy modules on the build systems
(but not necessary on end systems to which the modules are distributed).
3) You don't give any pointers to where they can learn how to actually write a
policy module.  c.f. the examples under /usr/share/selinux/devel and
/usr/share/doc/selinux-policy-x.y.z here.

- Under What is managed policy, you list /etc/selinux/policyname again as the
path, but the module store actually lives under the modules subdirectory there.
semodule is another example of a tool that uses libsemanage, and setsebool has
been rewritten to use it, so module and boolean management is also covered by it.

- The Where are SELinux AVC messages (denial logs, etc) stored? Q&A needs to be
moved up very early in the FAQ, as people need to know that in order to deal
with any issues at all, and it has changed in every FC release so far (messages
in FC3 -> audit.log in FC4 -> messages by default in FC5, but audit.log if you
install and enable auditd).

- Under What do these rpm errors mean, I believe that the genhomedircon warning
is gone completely.

- Under "I am writing an php script that needs to create temporary file in /tmp
and then execute them...", allowing any system service to execute anything it
can write is a bad idea for security no matter where it puts the file.  How did
this even get into the FAQ?  That is the classic attack pattern once you've
compromised a php script - download code to exploit e.g. a kernel vulnerability,
and then run it.


[[ Version-Release of FAQ 
(found on
http://fedora.redhat.com/docs/selinux-faq-fc5/ln-legalnotice.html):

 for example:  selinux-faq-1.5.2 (2006-03-20)
Comment 1 Paul W. Frields 2006-03-29 18:15:11 EST
*** Bug 187277 has been marked as a duplicate of this bug. ***
Comment 2 Chad Sellers 2006-04-19 17:04:05 EDT
> - Under What is SELinux policy, the path to the interface files should be
/usr/share/selinux/devel/include, not headers.

Fixed

> - Several paths to policy files seem truncated to just etc/selinux/policyname,
e.g. under What is SELinux policy, you list that as the path to the binary
policy files, but they live under a policy subdirectory of that directory. Also,
I personally find using $SELINUXTYPE to be less ambiguous there as that is how
it is defined in /etc/selinux/config.

I fixed several of these to point to appropriate locations. I did not change it
to use $SELINUXTYPE, as I believe this is more ambiguous due to the overuse of
the term type.

> - Under What are policy modules, there are a few issues:
> 1) The description seems a little confusing, as the kernel binary policy
remains monolithic and still must be replaced in total for change to take
effect; what has changed is that separable policy modules can now be built,
distributed, and linked together on end systems without requiring sources or the
policy compiler on the end systems.

Fixed

> 2) You only mention semodule, but don't provide any pointers to the other key
commands involved in constructing and packaging modules (e.g. checkmodule,
semodule_package).  Also need to note that they need to install checkpolicy
package to have checkmodule for compiling policy modules on the build systems
(but not necessary on end systems to which the modules are distributed).

Fixed

> 3) You don't give any pointers to where they can learn how to actually write a
policy module.  c.f. the examples under /usr/share/selinux/devel and
/usr/share/doc/selinux-policy-x.y.z here.

Fixed

> - Under What is managed policy, you list /etc/selinux/policyname again as the
path, but the module store actually lives under the modules subdirectory there.
semodule is another example of a tool that uses libsemanage, and setsebool has
been rewritten to use it, so module and boolean management is also covered by it.

Fixed

> - The Where are SELinux AVC messages (denial logs, etc) stored? Q&A needs to
be moved up very early in the FAQ, as people need to know that in order to deal
with any issues at all, and it has changed in every FC release so far (messages
in FC3 -> audit.log in FC4 -> messages by default in FC5, but audit.log if you
install and enable auditd).

Moved up to the first Q&A in Resolving Problems

> - Under What do these rpm errors mean, I believe that the genhomedircon
warning is gone completely.

Yes, this disappeared during the FC5 rc phase. Fixed

> - Under "I am writing an php script that needs to create temporary file in
/tmp and then execute them...", allowing any system service to execute anything
it can write is a bad idea for security no matter where it puts the file.  How
did this even get into the FAQ?  That is the classic attack pattern once you've
compromised a php script - download code to exploit e.g. a kernel vulnerability,
and then run it.

Oops. The answer didn't actually give them write access, but the question
implied that it did. Fixed this to say why execute access is bad and how to have
scripts write (but not execute) tmp files.


Note You need to log in before you can comment on or make changes to this bug.