Red Hat Bugzilla – Bug 187277
Several errors in SELinux FAQ
Last modified: 2007-04-18 13:40:58 EDT
[[ Description of change/FAQ addition. If a change, include the original
text first, then the changed text: ]]
- Under What is SELinux policy, the path to the interface files should be
/usr/share/selinux/devel/include, not headers.
- Several paths to policy files seem truncated to just /etc/selinux/policyname,
e.g. under What is SELinux policy, you list that as the path to the binary
policy files, but they live under a policy subdirectory of that directory.
Also, I personally find using $SELINUXTYPE to be less ambiguous there as that is
how it is defined in /etc/selinux/config.
- Under What are policy modules, there are a few issues:
1) The description seems a little confusing, as the kernel binary policy remains
monolithic and still must be replaced in total for change to take effect; what
has changed is that separable policy modules can now be built, distributed, and
linked together on end systems without requiring sources or the policy compiler
on the end systems.
2) You only mention semodule, but don't provide any pointers to the other key
commands involved in constructing and packaging modules (e.g. checkmodule,
semodule_package). Also need to note that they need to install checkpolicy
package to have checkmodule for compiling policy modules on the build systems
(but not necessary on end systems to which the modules are distributed).
3) You don't give any pointers to where they can learn how to actually write a
policy module. c.f. the examples under /usr/share/selinux/devel and
- Under What is managed policy, you list /etc/selinux/policyname again as the
path, but the module store actually lives under the modules subdirectory there.
semodule is another example of a tool that uses libsemanage, and setsebool has
been rewritten to use it, so module and boolean management is also covered by it.
- The Where are SELinux AVC messages (denial logs, etc) stored? Q&A needs to be
moved up very early in the FAQ, as people need to know that in order to deal
with any issues at all, and it has changed in every FC release so far (messages
in FC3 -> audit.log in FC4 -> messages by default in FC5, but audit.log if you
install and enable auditd).
- Under What do these rpm errors mean, I believe that the genhomedircon warning
is gone completely.
- Under "I am writing an php script that needs to create temporary file in /tmp
and then execute them...", allowing any system service to execute anything it
can write is a bad idea for security no matter where it puts the file. How did
this even get into the FAQ? That is the classic attack pattern once you've
compromised a php script - download code to exploit e.g. a kernel vulnerability,
and then run it.
[[ Version-Release of FAQ
for example: selinux-faq-1.5.2 (2006-03-20)
*** This bug has been marked as a duplicate of 187276 ***