From e0bcffc3e311dad512608533207763baaeeec3df Mon Sep 17 00:00:00 2001 From: Barbora Ančincová Date: May 25 2015 11:56:00 +0000 Subject: Refer to → See Conflicts: en-US/part_I/Working_With_SELinux.xml --- diff --git a/en-US/part_I/Contexts_and_Attributes.xml b/en-US/part_I/Contexts_and_Attributes.xml index 96605f6..e77c008 100644 --- a/en-US/part_I/Contexts_and_Attributes.xml +++ b/en-US/part_I/Contexts_and_Attributes.xml @@ -85,7 +85,7 @@ system_u system_u s0-s0:c0.c1023 * If the category set is a contiguous series, it can be abbreviated. For example, c0.c3 is the same as c0,c1,c2,c3. The /etc/selinux/targeted/setrans.conf file maps levels (s0:c0) to human-readable form (that is CompanyConfidential). In &MAJOROS;, targeted policy enforces MCS, and in MCS, there is just one sensitivity, s0. MCS in &MAJOROS; supports 1024 different categories: c0 through to c1023. s0-s0:c0.c1023 is sensitivity s0 and authorized for all categories. - MLS enforces the Bell-La Padula Mandatory Access Model, and is used in Labeled Security Protection Profile (LSPP) environments. To use MLS restrictions, install the selinux-policy-mls package, and configure MLS to be the default SELinux policy. The MLS policy shipped with &MAJOROS; omits many program domains that were not part of the evaluated configuration, and therefore, MLS on a desktop workstation is unusable (no support for the X Window System); however, an MLS policy from the upstream SELinux Reference Policy can be built that includes all program domains. For more information on MLS configuration, refer to . + MLS enforces the Bell-La Padula Mandatory Access Model, and is used in Labeled Security Protection Profile (LSPP) environments. To use MLS restrictions, install the selinux-policy-mls package, and configure MLS to be the default SELinux policy. The MLS policy shipped with &MAJOROS; omits many program domains that were not part of the evaluated configuration, and therefore, MLS on a desktop workstation is unusable (no support for the X Window System); however, an MLS policy from the upstream SELinux Reference Policy can be built that includes all program domains. For more information on MLS configuration, see . diff --git a/en-US/part_I/Further_Information.xml b/en-US/part_I/Further_Information.xml index 1183e48..455f2fe 100644 --- a/en-US/part_I/Further_Information.xml +++ b/en-US/part_I/Further_Information.xml @@ -58,7 +58,7 @@ Other Resources The National Security Agency (NSA) - NSA was the original developer of SELinux. Researchers in NSA's National Information Assurance Research Laboratory (NIARL) designed and implemented flexible mandatory access controls in the major subsystems of the Linux kernel and implemented the new operating system components provided by the Flask architecture, namely the security server and the access vector cache.Refer to the NSA Contributors to SELinux page for more information. + NSA was the original developer of SELinux. Researchers in NSA's National Information Assurance Research Laboratory (NIARL) designed and implemented flexible mandatory access controls in the major subsystems of the Linux kernel and implemented the new operating system components provided by the Flask architecture, namely the security server and the access vector cache.See the NSA Contributors to SELinux page for more information. diff --git a/en-US/part_I/Introduction.xml b/en-US/part_I/Introduction.xml index 002d029..22ec134 100644 --- a/en-US/part_I/Introduction.xml +++ b/en-US/part_I/Introduction.xml @@ -13,7 +13,7 @@ Relying on DAC mechanisms alone is fundamentally inadequate for strong system security. DAC access decisions are only based on user identity and ownership, ignoring other security-relevant information such as the role of the user, the function and trustworthiness of the program, and the sensitivity and integrity of the data. Each user typically has complete discretion over their files, making it difficult to enforce a system-wide security policy. Furthermore, every program run by a user inherits all of the permissions granted to the user and is free to change access to the user's files, so minimal protection is provided against malicious software. Many system services and privileged programs run with coarse-grained privileges that far exceed their requirements, so that a flaw in any one of these programs could be exploited to obtain further system access. - "Integrating Flexible Support for Security Policies into the Linux Operating System", by Peter Loscocco and Stephen Smalley. This paper was originally prepared for the National Security Agency and is, consequently, in the public domain. Refer to the original paper for details and the document as it was first released. Any edits and changes were done by Murray McAllister. + "Integrating Flexible Support for Security Policies into the Linux Operating System", by Peter Loscocco and Stephen Smalley. This paper was originally prepared for the National Security Agency and is, consequently, in the public domain. See the original paper for details and the document as it was first released. Any edits and changes were done by Murray McAllister. @@ -30,7 +30,7 @@ Security-Enhanced Linux (SELinux) adds Mandatory Access Control (MAC) to the Linux kernel, and is enabled by default in &MAJOROS;. A general purpose MAC architecture needs the ability to enforce an administratively-set security policy over all processes and files in the system, basing decisions on labels containing a variety of security-relevant information. When properly implemented, it enables a system to adequately defend itself and offers critical support for application security by protecting against the tampering with, and bypassing of, secured applications. MAC provides strong separation of applications that permits the safe execution of untrustworthy applications. Its ability to limit the privileges associated with executing processes limits the scope of potential damage that can result from the exploitation of vulnerabilities in applications and system services. MAC enables information to be protected from legitimate users with limited authorization as well as from authorized users who have unwittingly executed malicious applications. - "Meeting Critical Security Objectives with Security-Enhanced Linux", by Peter Loscocco and Stephen Smalley. This paper was originally prepared for the National Security Agency and is, consequently, in the public domain. Refer to the original paper for details and the document as it was first released. Any edits and changes were done by Murray McAllister. + "Meeting Critical Security Objectives with Security-Enhanced Linux", by Peter Loscocco and Stephen Smalley. This paper was originally prepared for the National Security Agency and is, consequently, in the public domain. See the original paper for details and the document as it was first released. Any edits and changes were done by Murray McAllister. @@ -140,7 +140,7 @@ - Refer to the NetworkWorld.com article, A seatbelt for server software: SELinux blocks real-world exploits + See the NetworkWorld.com article, A seatbelt for server software: SELinux blocks real-world exploits Marti, Don. "A seatbelt for server software: SELinux blocks real-world exploits". Published 24 February 2008. Accessed 27 August 2009: . diff --git a/en-US/part_I/Managing_Users.xml b/en-US/part_I/Managing_Users.xml index 9312827..7062763 100644 --- a/en-US/part_I/Managing_Users.xml +++ b/en-US/part_I/Managing_Users.xml @@ -5,7 +5,7 @@ Confining Users - A number of confined SELinux users are available in &MAJOROS;. Each Linux user is mapped to an SELinux user using SELinux policy, allowing Linux users to inherit the restrictions placed on SELinux users, for example (depending on the user), not being able to: run the X Window System; use networking; run setuid applications (unless SELinux policy permits it); or run the su and sudo commands. This helps protect the system from the user. Refer to for further information about confined users. + A number of confined SELinux users are available in &MAJOROS;. Each Linux user is mapped to an SELinux user using SELinux policy, allowing Linux users to inherit the restrictions placed on SELinux users, for example (depending on the user), not being able to: run the X Window System; use networking; run setuid applications (unless SELinux policy permits it); or run the su and sudo commands. This helps protect the system from the user. See for further information about confined users.
Linux and SELinux User Mappings diff --git a/en-US/part_I/Troubleshooting.xml b/en-US/part_I/Troubleshooting.xml index 47181c2..adc5935 100644 --- a/en-US/part_I/Troubleshooting.xml +++ b/en-US/part_I/Troubleshooting.xml @@ -81,7 +81,7 @@ You don't have permission to access file name on ~]# restorecon -R -v /srv/myweb - Refer to for further information about adding contexts to the file-context configuration. + See for further information about adding contexts to the file-context configuration.
What is the Correct Context? @@ -112,7 +112,7 @@ restorecon reset /var/www/html/page1.html context unconfined_u:object_r:samba_sh restorecon reset /var/www/html/index.html context unconfined_u:object_r:samba_share_t:s0->system_u:object_r:httpd_sys_content_t:s0 - Refer to for a more detailed example of matchpathcon. + See for a more detailed example of matchpathcon.
@@ -145,7 +145,7 @@ httpd_enable_ftp_server --> off tftp_anon_write --> off - For a list of Booleans and whether they are on or off, run the getsebool -a command. For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the semanage boolean -l command as root. Refer to for information about listing and configuring Booleans. + For a list of Booleans and whether they are on or off, run the getsebool -a command. For a list of Booleans, an explanation of what each one is, and whether they are on or off, run the semanage boolean -l command as root. See for information about listing and configuring Booleans. Port Numbers @@ -205,7 +205,7 @@ type=AVC msg=audit(1225948455.061:294): avc: denied { name_bind } for pid=499 Applications may be broken, causing SELinux to deny access. Also, SELinux rules are evolving – SELinux may not have seen an application running in a certain way, possibly causing it to deny access, even though the application is working as expected. For example, if a new version of PostgreSQL is released, it may perform actions the current policy has not seen before, causing access to be denied, even though access should be allowed. - For these situations, after access is denied, use the audit2allow utility to create a custom policy module to allow access. Refer to for information about using audit2allow. + For these situations, after access is denied, use the audit2allow utility to create a custom policy module to allow access. See for information about using audit2allow.
@@ -239,7 +239,7 @@ type=AVC msg=audit(1225948455.061:294): avc: denied { name_bind } for pid=499 This assumes the default configuration, in which httpd runs as the Linux Apache user. If you run httpd with a different user, replace apache:apache with that user. - Refer to the Fedora Documentation Project "Permissions" draft for information about managing Linux permissions. + See the Fedora Documentation Project "Permissions" draft for information about managing Linux permissions. @@ -271,7 +271,7 @@ dontaudit smbd_t squid_port_t : tcp_socket name_bind ; dontaudit smbd_t squid_port_t : udp_socket name_bind ; - Refer to and for information about analyzing denials. + See and for information about analyzing denials. @@ -381,7 +381,7 @@ type=SYSCALL msg=audit(1226882925.714:136): arch=40000003 syscall=5 success=yes In this case, although an AVC denial was logged, access was not denied, as shown by success=yes in the SYSCALL message. - Refer to Dan Walsh's "Permissive Domains" blog entry for further information about permissive domains. + See Dan Walsh's "Permissive Domains" blog entry for further information about permissive domains. @@ -390,11 +390,11 @@ type=SYSCALL msg=audit(1226882925.714:136): arch=40000003 syscall=5 success=yes
Searching For and Viewing Denials - This section assumes the setroubleshoot, setroubleshoot-server, dbus and audit packages are installed, and that the auditd, rsyslogd, and setroubleshootd daemons are running. Refer to for information about starting these daemons. A number of utilites are available for searching for and viewing SELinux AVC messages, such as ausearch, aureport, and sealert. + This section assumes the setroubleshoot, setroubleshoot-server, dbus and audit packages are installed, and that the auditd, rsyslogd, and setroubleshootd daemons are running. See for information about starting these daemons. A number of utilites are available for searching for and viewing SELinux AVC messages, such as ausearch, aureport, and sealert. ausearch - The audit package provides the ausearch utility that can query the audit daemon logs based for events based on different search criteria.Refer to the ausearch8 manual page for further information about ausearch. The ausearch utility accesses /var/log/audit/audit.log, and as such, must be run as the root user: + The audit package provides the ausearch utility that can query the audit daemon logs based for events based on different search criteria.See the ausearch8 manual page for further information about ausearch. The ausearch utility accesses /var/log/audit/audit.log, and as such, must be run as the root user: Searching For @@ -420,11 +420,11 @@ type=SYSCALL msg=audit(1226882925.714:136): arch=40000003 syscall=5 success=yes ~]# ausearch -m avc -c smbd - With each ausearch command, it is advised to use either the () option for easier readability, or the () option for script processing. Refer to the ausearch8 manual page for further ausearch options. + With each ausearch command, it is advised to use either the () option for easier readability, or the () option for script processing. See the ausearch8 manual page for further ausearch options. aureport - The audit package provides the aureport utility, which produces summary reports of the audit system logs. Refer to the aureport8 manual page for further information about aureport. The aureport utility accesses /var/log/audit/audit.log, and as such, must be run as the root user. To view a list of SELinux denial messages and how often each one occurred, run the aureport -a command. The following is example output that includes two denials: + The audit package provides the aureport utility, which produces summary reports of the audit system logs. See the aureport8 manual page for further information about aureport. The aureport utility accesses /var/log/audit/audit.log, and as such, must be run as the root user. To view a list of SELinux denial messages and how often each one occurred, run the aureport -a command. The following is example output that includes two denials: ~]# aureport -a @@ -660,7 +660,7 @@ node=hostname type=SYSCALL msg=audit(1225812178.788:1 Raw Audit Messages - The raw audit messages from /var/log/audit/audit.log that are associated with the denial. Refer to for information about each item in the AVC denial. + The raw audit messages from /var/log/audit/audit.log that are associated with the denial. See for information about each item in the AVC denial. @@ -676,7 +676,7 @@ node=hostname type=SYSCALL msg=audit(1225812178.788:1 - The audit2allow utility gathers information from logs of denied operations and then generates SELinux policy allow rules.Refer to the audit2allow1 manual page for more information about audit2allow. After analyzing denial messages as per , and if no label changes or Booleans allowed access, use audit2allow to create a local policy module. When access is denied by SELinux, running audit2allow generates Type Enforcement rules that allow the previously denied access. + The audit2allow utility gathers information from logs of denied operations and then generates SELinux policy allow rules.See the audit2allow1 manual page for more information about audit2allow. After analyzing denial messages as per , and if no label changes or Booleans allowed access, use audit2allow to create a local policy module. When access is denied by SELinux, running audit2allow generates Type Enforcement rules that allow the previously denied access. The following example demonstrates using audit2allow to create a policy module: diff --git a/en-US/part_I/Working_With_SELinux.xml b/en-US/part_I/Working_With_SELinux.xml index 393071e..977cf2c 100644 --- a/en-US/part_I/Working_With_SELinux.xml +++ b/en-US/part_I/Working_With_SELinux.xml @@ -22,7 +22,7 @@ - selinux-policy provides configuration for the SELinux Reference policy. The SELinux Reference Policy is a complete SELinux policy, and is used as a basis for other policies, such as the SELinux targeted policy; refer to the Tresys Technology SELinux Reference Policy page for further information. This package contains the selinux-policy.conf file and RPM macros. + selinux-policy provides configuration for the SELinux Reference policy. The SELinux Reference Policy is a complete SELinux policy, and is used as a basis for other policies, such as the SELinux targeted policy; see the Tresys Technology SELinux Reference Policy page for further information. This package contains the selinux-policy.conf file and RPM macros. @@ -77,7 +77,7 @@ --> - The setools package is a meta-package for SETools. The setools-gui package provides the apol and seaudit utilities. The setools-console package provides the sechecker, sediff, seinfo, sesearch, and findcon command-line utilities. Refer to the Tresys Technology SETools page for information about these utilities. + The setools package is a meta-package for SETools. The setools-gui package provides the apol and seaudit utilities. The setools-console package provides the sechecker, sediff, seinfo, sesearch, and findcon command-line utilities. See the Tresys Technology SETools page for information about these utilities. @@ -201,7 +201,7 @@ SELINUXTYPE=targeted SELINUXTYPE=targeted - The option sets the SELinux policy to use. Targeted policy is the default policy. Only change this option if you want to use the MLS policy. For information on how to enable the MLS policy, refer to . + The option sets the SELinux policy to use. Targeted policy is the default policy. Only change this option if you want to use the MLS policy. For information on how to enable the MLS policy, see . @@ -406,7 +406,7 @@ SELINUXTYPE=targeted - In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as root, run the following command to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. Refer to for troubleshooting information if SELinux denied access during boot. + In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as root, run the following command to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. See for troubleshooting information if SELinux denied access during boot. ~]# grep "SELinux is preventing" /var/log/messages @@ -883,7 +883,7 @@ restorecon reset /web/file1 context unconfined_u:object_r:httpd_sys_content_t:s0 - Refer to the chcon1 manual page for further information about chcon. + See the chcon1 manual page for further information about chcon. @@ -1101,7 +1101,7 @@ restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->syste Use the mount -o context command to override existing extended attributes, or to specify a different, default context for file systems that do not support extended attributes. This is useful if you do not trust a file system to supply the correct attributes, for example, removable media used in multiple systems. The mount -o context command can also be used to support labeling for file systems that do not support extended attributes, such as File Allocation Table (FAT) or NFS volumes. The context specified with the option is not written to disk: the original contexts are preserved, and are seen when mounting without (if the file system had extended attributes in the first place). - For further information about file system labeling, refer to James Morris's "Filesystem Labeling in SELinux" article: . + For further information about file system labeling, see James Morris's "Filesystem Labeling in SELinux" article: .
Context Mounts @@ -1111,7 +1111,7 @@ restorecon reset /web/file1 context unconfined_u:object_r:default_t:s0->syste ~]# mount server:/export /local/mount/point -o \ context="system_u:object_r:httpd_sys_content_t:s0" - Newly-created files and directories on this file system appear to have the SELinux context specified with . However, since these changes are not written to disk, the context specified with this option does not persist between mounts. Therefore, this option must be used with the same context specified during every mount to retain the desired context. For information about making context mount persistent, refer to . + Newly-created files and directories on this file system appear to have the SELinux context specified with . However, since these changes are not written to disk, the context specified with this option does not persist between mounts. Therefore, this option must be used with the same context specified during every mount to retain the desired context. For information about making context mount persistent, see . Type Enforcement is the main permission control used in SELinux targeted policy. For the most part, SELinux users and roles can be ignored, so, when overriding the SELinux context with , use the SELinux system_u user and object_r role, and concentrate on the type. If you are not using the MLS policy or multi-category security, use the s0 level. @@ -1170,10 +1170,10 @@ context="system_u:object_r:httpd_sys_content_t:s0" ~]# mount server:/export /local/mount/point -o context="system_u:object_r:httpd_sys_content_t:s0" - Since these changes are not written to disk, the context specified with this option does not persist between mounts. Therefore, this option must be used with the same context specified during every mount to retain the desired context. For information about making context mount persistent, refer to . + Since these changes are not written to disk, the context specified with this option does not persist between mounts. Therefore, this option must be used with the same context specified during every mount to retain the desired context. For information about making context mount persistent, see . - As an alternative to mounting file systems with options, Booleans can be enabled to allow services access to file systems labeled with the nfs_t type. Refer to for instructions on configuring Booleans to allow services access to the nfs_t type. + As an alternative to mounting file systems with options, Booleans can be enabled to allow services access to file systems labeled with the nfs_t type. See for instructions on configuring Booleans to allow services access to the nfs_t type.
@@ -1463,7 +1463,7 @@ drwxr-xr-x root root system_u:object_r:httpd_sys_content_t:s0 /var/www/html/
Checking the Default SELinux Context - Use the matchpathcon utility to check if files and directories have the correct SELinux context. This utility queries the system policy and then provides the default security context associated with the file path.Refer to the matchpathcon8 manual page for further information about matchpathcon. The following example demonstrates using matchpathcon to verify that files in /var/www/html/ directory are labeled correctly: + Use the matchpathcon utility to check if files and directories have the correct SELinux context. This utility queries the system policy and then provides the default security context associated with the file path.See the matchpathcon8 manual page for further information about matchpathcon. The following example demonstrates using matchpathcon to verify that files in /var/www/html/ directory are labeled correctly: Checking the Default SELinux Conxtext with <systemitem>matchpathcon</systemitem> @@ -1915,7 +1915,7 @@ Permissive - In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as root, run the following command to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. Refer to for troubleshooting information if SELinux denied access during boot. + In permissive mode, SELinux policy is not enforced, but denials are still logged for actions that would have been denied if running in enforcing mode. Before changing to enforcing mode, as root, run the following command to confirm that SELinux did not deny actions during the last boot. If SELinux did not deny actions during the last boot, this command does not return any output. See for troubleshooting information if SELinux denied access during boot. ~]# grep "SELinux is preventing" /var/log/messages diff --git a/en-US/part_II/Apache_HTTP_Server.xml b/en-US/part_II/Apache_HTTP_Server.xml index aff706a..2bc3226 100644 --- a/en-US/part_II/Apache_HTTP_Server.xml +++ b/en-US/part_II/Apache_HTTP_Server.xml @@ -299,7 +299,7 @@ drwxr-xr-x root root unconfined_u:object_r:default_t:s0 /my - Refer to for further information about chcon. + See for further information about chcon. Use the semanage fcontext command (semanage is provided by the policycoreutils-python package) to make label changes that survive a relabel and the restorecon command. This command adds changes to file-context configuration. Then, run restorecon, which reads file-context configuration, to apply the label change. The following example demonstrates creating a new directory and an index.html file for use by httpd, and persistently changing the label of that directory and file to allow httpd access to them: @@ -341,7 +341,7 @@ restorecon reset /my/website/index.html context unconfined_u:object_r:default_t: - Refer to for further information on semanage. + See for further information on semanage.
diff --git a/en-US/part_II/Introduction.xml b/en-US/part_II/Introduction.xml index cee4a18..bac98b4 100644 --- a/en-US/part_II/Introduction.xml +++ b/en-US/part_II/Introduction.xml @@ -8,7 +8,7 @@ This part of the book focuses more on practical tasks and provides information how to set up and configure various services. For each service, there are listed the most common types and Booleans with the specifications. Also included are real-world examples of configuring those services and demonstrations of how SELinux complements their operation. - When SELinux is in enforcing mode, the default policy used in &MAJOROS;, is the targeted policy. Processes that are targeted run in a confined domain, and processes that are not targeted run in an unconfined domain. Refer to for more information about targeted policy and confined and unconfined processes. + When SELinux is in enforcing mode, the default policy used in &MAJOROS;, is the targeted policy. Processes that are targeted run in a confined domain, and processes that are not targeted run in an unconfined domain. See for more information about targeted policy and confined and unconfined processes. diff --git a/en-US/part_II/MariaDB.xml b/en-US/part_II/MariaDB.xml index 2b75fae..7e5e0a2 100644 --- a/en-US/part_II/MariaDB.xml +++ b/en-US/part_II/MariaDB.xml @@ -5,7 +5,7 @@ MariaDB (a replacement for MySQL) - The MariaDB database is a multi-user, multi-threaded SQL database server that consists of the MariaDB server daemon (mysqld) and many client programs and libraries.Refer to the MariaDB project page for more information. + The MariaDB database is a multi-user, multi-threaded SQL database server that consists of the MariaDB server daemon (mysqld) and many client programs and libraries.See the MariaDB project page for more information. In &MAJOROS;, the mariadb-server package provides MariaDB. Run the following command to see if the mariadb-server package is installed: @@ -75,7 +75,7 @@ system_u:system_r:mysqld_t:s0 13014 ? 00:00: mysqld_db_t - This type is used for the location of the MariaDB database. In &MAJOROS;, the default location for the database is the /var/lib/mysql/ directory, however this can be changed. If the location for the MariaDB database is changed, the new location must be labeled with this type. Refer to the example in for instructions on how to change the default database location and how to label the new section appropriately. + This type is used for the location of the MariaDB database. In &MAJOROS;, the default location for the database is the /var/lib/mysql/ directory, however this can be changed. If the location for the MariaDB database is changed, the new location must be labeled with this type. See the example in for instructions on how to change the default database location and how to label the new section appropriately. @@ -171,7 +171,7 @@ system_u:system_r:mysqld_t:s0 13014 ? 00:00: The location where the database is stored can be changed depending on individual environment requirements or preferences, however it is important that SELinux is aware of this new location; that it is labeled accordingly. This example explains how to change the location of a MariaDB database and then how to label the new location so that SELinux can still provide its protection mechanisms to the new area based on its contents. - Note that this is an example only and demonstrates how SELinux can affect MariaDB. Comprehensive documentation of MariaDB is beyond the scope of this document. Refer to the official MariaDB documentation for further details. This example assumes that the mariadb-server and setroubleshoot-server packages are installed, that the auditd service is running, and that there is a valid database in the default location of /var/lib/mysql/. + Note that this is an example only and demonstrates how SELinux can affect MariaDB. Comprehensive documentation of MariaDB is beyond the scope of this document. See the official MariaDB documentation for further details. This example assumes that the mariadb-server and setroubleshoot-server packages are installed, that the auditd service is running, and that there is a valid database in the default location of /var/lib/mysql/. diff --git a/en-US/part_II/NFS.xml b/en-US/part_II/NFS.xml index d6f8690..fa44676 100644 --- a/en-US/part_II/NFS.xml +++ b/en-US/part_II/NFS.xml @@ -4,7 +4,7 @@ Network File System - A Network File System (NFS) allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally. This enables system administrators to consolidate resources onto centralized servers on the network.Refer to the Network File System (NFS) chapter in the Storage Administration Guide for more information. + A Network File System (NFS) allows remote hosts to mount file systems over a network and interact with those file systems as though they are mounted locally. This enables system administrators to consolidate resources onto centralized servers on the network.See the Network File System (NFS) chapter in the Storage Administration Guide for more information. In &MAJOROS;, the nfs-utils package is required for full NFS support. Run the following command to see if the nfs-utils is installed: diff --git a/en-US/part_II/Postfix.xml b/en-US/part_II/Postfix.xml index 8aa373c..2284591 100644 --- a/en-US/part_II/Postfix.xml +++ b/en-US/part_II/Postfix.xml @@ -167,7 +167,7 @@ package spamassassin is not installed SpamAssassin operates in tandem with a mailer such as Postfix to provide spam-filtering capabilities. In order for SpamAssassin to effectively intercept, analyze and filter mail, it must listen on a network interface. The default port for SpamAssassin is TCP/783, however this can be changed. The following example provides a real-world demonstration of how SELinux complements SpamAssassin by only allowing it access to a certain port by default. This example will then demonstrate how to change the port and have SpamAssassin operate on a non-default port. -Note that this is an example only and demonstrates how SELinux can affect a simple configuration of SpamAssassin. Comprehensive documentation of SpamAssassin is beyond the scope of this document. Refer to the official SpamAssassin documentation for further details. This example assumes the spamassassin is installed, that any firewall has been configured to allow access on the ports in use, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode: +Note that this is an example only and demonstrates how SELinux can affect a simple configuration of SpamAssassin. Comprehensive documentation of SpamAssassin is beyond the scope of this document. See the official SpamAssassin documentation for further details. This example assumes the spamassassin is installed, that any firewall has been configured to allow access on the ports in use, that the SELinux targeted policy is used, and that SELinux is running in enforcing mode: Running SpamAssassin on a non-default port diff --git a/en-US/part_II/PostgreSQL.xml b/en-US/part_II/PostgreSQL.xml index b204b65..cee9968 100644 --- a/en-US/part_II/PostgreSQL.xml +++ b/en-US/part_II/PostgreSQL.xml @@ -5,7 +5,7 @@ PostgreSQL - PostgreSQL is an Object-Relational database management system (DBMS).Refer to the PostgreSQL project page for more information. + PostgreSQL is an Object-Relational database management system (DBMS).See the PostgreSQL project page for more information. In &MAJOROS;, the postgresql-server package provides PostgreSQL. Run the following command to see if the postgresql-server package is installed: @@ -237,7 +237,7 @@ system_u:system_r:postgresql_t:s0 402 ? 00:00:00 p The area where the database is located can be changed depending on individual environment requirements or preferences, however it is important that SELinux is aware of this new location; that it is labeled accordingly. This example explains how to change the location of a PostgreSQL database and then how to label the new location so that SELinux can still provide its protection mechanisms to the new area based on its contents. - Note that this is an example only and demonstrates how SELinux can affect PostgreSQL. Comprehensive documentation of PostgreSQL is beyond the scope of this document. Refer to the official PostgreSQL documentation for further details. This example assumes that the postgresql-server package is installed. + Note that this is an example only and demonstrates how SELinux can affect PostgreSQL. Comprehensive documentation of PostgreSQL is beyond the scope of this document. See the official PostgreSQL documentation for further details. This example assumes that the postgresql-server package is installed. diff --git a/en-US/part_II/Rsync.xml b/en-US/part_II/Rsync.xml index 386dbf7..6e47057 100644 --- a/en-US/part_II/Rsync.xml +++ b/en-US/part_II/Rsync.xml @@ -5,7 +5,7 @@ rsync - The rsync utility performs fast file transfer and it is used for synchronizing data between systems. Refer to the Rsync project page for more information. + The rsync utility performs fast file transfer and it is used for synchronizing data between systems. See the Rsync project page for more information. When using &MAJOROS;, the rsync package provides rsync. Run the following command to see if the rsync package is installed: @@ -25,7 +25,7 @@ package rsync is not installed
rsync and SELinux - SELinux requires files to have an extended attribute to define the file type. Policy governs the access daemons have to these files. If you want to share files using the rsync daemon, you must label the files and directories with the public_content_t type. Like most services, correct labeling is required for SELinux to perform its protection mechanisms over rsync.Refer to the rsync_selinux8 manual page for more information about rsync and SELinux. + SELinux requires files to have an extended attribute to define the file type. Policy governs the access daemons have to these files. If you want to share files using the rsync daemon, you must label the files and directories with the public_content_t type. Like most services, correct labeling is required for SELinux to perform its protection mechanisms over rsync.See the rsync_selinux8 manual page for more information about rsync and SELinux.
@@ -137,7 +137,7 @@ package rsync is not installed - This example will be performed on a single system to demonstrate SELinux policy and its control over local daemons and processes. Note that this is an example only and demonstrates how SELinux can affect rsync. Comprehensive documentation of rsync is beyond the scope of this document. Refer to the official rsync documentation for further details. This example assumes that the rsync, setroubleshoot-server and audit packages are installed, that the SELinux targeted policy is used and that SELinux is running in enforcing mode. + This example will be performed on a single system to demonstrate SELinux policy and its control over local daemons and processes. Note that this is an example only and demonstrates how SELinux can affect rsync. Comprehensive documentation of rsync is beyond the scope of this document. See the official rsync documentation for further details. This example assumes that the rsync, setroubleshoot-server and audit packages are installed, that the SELinux targeted policy is used and that SELinux is running in enforcing mode. diff --git a/en-US/part_II/Squid.xml b/en-US/part_II/Squid.xml index 8d9c2b9..f39c8e6 100644 --- a/en-US/part_II/Squid.xml +++ b/en-US/part_II/Squid.xml @@ -5,7 +5,7 @@ Squid Caching Proxy - Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages.Refer to the Squid Caching Proxy project page for more information. + Squid is a high-performance proxy caching server for web clients, supporting FTP, Gopher, and HTTP data objects. It reduces bandwidth and improves response times by caching and reusing frequently-requested web pages.See the Squid Caching Proxy project page for more information. In &MAJOROS;, the squid package provides the Squid Caching Proxy. Run the following command to see if the squid package is installed: @@ -250,7 +250,7 @@ localhost setroubleshoot: SELinux is preventing the squid (squid_t) from binding The following example provides a real-world demonstration of how SELinux complements Squid by enforcing the above Boolean and by default only allowing access to certain ports. This example will then demonstrate how to change the Boolean and show that access is then allowed. - Note that this is an example only and demonstrates how SELinux can affect a simple configuration of Squid. Comprehensive documentation of Squid is beyond the scope of this document. Refer to the official Squid documentation for further details. This example assumes that the Squid host has two network interfaces, Internet access, and that any firewall has been configured to allow access on the internal interface using the default TCP port on which Squid listens (TCP 3128). + Note that this is an example only and demonstrates how SELinux can affect a simple configuration of Squid. Comprehensive documentation of Squid is beyond the scope of this document. See the official Squid documentation for further details. This example assumes that the Squid host has two network interfaces, Internet access, and that any firewall has been configured to allow access on the internal interface using the default TCP port on which Squid listens (TCP 3128).