[[ Description of change/FAQ addition. If a change, include the original text first, then the changed text: ]] - Under What is SELinux policy, the path to the interface files should be /usr/share/selinux/devel/include, not headers. - Several paths to policy files seem truncated to just /etc/selinux/policyname, e.g. under What is SELinux policy, you list that as the path to the binary policy files, but they live under a policy subdirectory of that directory. Also, I personally find using $SELINUXTYPE to be less ambiguous there as that is how it is defined in /etc/selinux/config. - Under What are policy modules, there are a few issues: 1) The description seems a little confusing, as the kernel binary policy remains monolithic and still must be replaced in total for change to take effect; what has changed is that separable policy modules can now be built, distributed, and linked together on end systems without requiring sources or the policy compiler on the end systems. 2) You only mention semodule, but don't provide any pointers to the other key commands involved in constructing and packaging modules (e.g. checkmodule, semodule_package). Also need to note that they need to install checkpolicy package to have checkmodule for compiling policy modules on the build systems (but not necessary on end systems to which the modules are distributed). 3) You don't give any pointers to where they can learn how to actually write a policy module. c.f. the examples under /usr/share/selinux/devel and /usr/share/doc/selinux-policy-x.y.z here. - Under What is managed policy, you list /etc/selinux/policyname again as the path, but the module store actually lives under the modules subdirectory there. semodule is another example of a tool that uses libsemanage, and setsebool has been rewritten to use it, so module and boolean management is also covered by it. - The Where are SELinux AVC messages (denial logs, etc) stored? Q&A needs to be moved up very early in the FAQ, as people need to know that in order to deal with any issues at all, and it has changed in every FC release so far (messages in FC3 -> audit.log in FC4 -> messages by default in FC5, but audit.log if you install and enable auditd). - Under What do these rpm errors mean, I believe that the genhomedircon warning is gone completely. - Under "I am writing an php script that needs to create temporary file in /tmp and then execute them...", allowing any system service to execute anything it can write is a bad idea for security no matter where it puts the file. How did this even get into the FAQ? That is the classic attack pattern once you've compromised a php script - download code to exploit e.g. a kernel vulnerability, and then run it. [[ Version-Release of FAQ (found on http://fedora.redhat.com/docs/selinux-faq-fc5/ln-legalnotice.html): for example: selinux-faq-1.5.2 (2006-03-20)
*** Bug 187277 has been marked as a duplicate of this bug. ***
> - Under What is SELinux policy, the path to the interface files should be /usr/share/selinux/devel/include, not headers. Fixed > - Several paths to policy files seem truncated to just etc/selinux/policyname, e.g. under What is SELinux policy, you list that as the path to the binary policy files, but they live under a policy subdirectory of that directory. Also, I personally find using $SELINUXTYPE to be less ambiguous there as that is how it is defined in /etc/selinux/config. I fixed several of these to point to appropriate locations. I did not change it to use $SELINUXTYPE, as I believe this is more ambiguous due to the overuse of the term type. > - Under What are policy modules, there are a few issues: > 1) The description seems a little confusing, as the kernel binary policy remains monolithic and still must be replaced in total for change to take effect; what has changed is that separable policy modules can now be built, distributed, and linked together on end systems without requiring sources or the policy compiler on the end systems. Fixed > 2) You only mention semodule, but don't provide any pointers to the other key commands involved in constructing and packaging modules (e.g. checkmodule, semodule_package). Also need to note that they need to install checkpolicy package to have checkmodule for compiling policy modules on the build systems (but not necessary on end systems to which the modules are distributed). Fixed > 3) You don't give any pointers to where they can learn how to actually write a policy module. c.f. the examples under /usr/share/selinux/devel and /usr/share/doc/selinux-policy-x.y.z here. Fixed > - Under What is managed policy, you list /etc/selinux/policyname again as the path, but the module store actually lives under the modules subdirectory there. semodule is another example of a tool that uses libsemanage, and setsebool has been rewritten to use it, so module and boolean management is also covered by it. Fixed > - The Where are SELinux AVC messages (denial logs, etc) stored? Q&A needs to be moved up very early in the FAQ, as people need to know that in order to deal with any issues at all, and it has changed in every FC release so far (messages in FC3 -> audit.log in FC4 -> messages by default in FC5, but audit.log if you install and enable auditd). Moved up to the first Q&A in Resolving Problems > - Under What do these rpm errors mean, I believe that the genhomedircon warning is gone completely. Yes, this disappeared during the FC5 rc phase. Fixed > - Under "I am writing an php script that needs to create temporary file in /tmp and then execute them...", allowing any system service to execute anything it can write is a bad idea for security no matter where it puts the file. How did this even get into the FAQ? That is the classic attack pattern once you've compromised a php script - download code to exploit e.g. a kernel vulnerability, and then run it. Oops. The answer didn't actually give them write access, but the question implied that it did. Fixed this to say why execute access is bad and how to have scripts write (but not execute) tmp files.