From Fedora Project Wiki
The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then publish the changes below to finish undoing the edit.
Latest revision | Your text | ||
Line 11: | Line 11: | ||
Today's Fedora Test Day will focus on SELinux Confined Users - users which are assigned to a SELinux role and where the SELinux policy controls what the user can do/access on the system. Current confined user types with their purpose of use are: | Today's Fedora Test Day will focus on SELinux Confined Users - users which are assigned to a SELinux role and where the SELinux policy controls what the user can do/access on the system. Current confined user types with their purpose of use are: | ||
* <code>guest_u</code> – Terminal login, nosetuid, nonetwork, noxwindows, noexec in home directory. | |||
* <code>xguest_u</code> – X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory. | |||
* <code>user_u</code> – X Windows login and terminal login, nosetuid, noexec in home directory. | |||
* <code>staff_u</code> – X Windows login and terminal login, nosetuid except <code>sudo</code>. | |||
* kiosk user - X Windows login and terminal login, nosetuid, nonetwork, noexec in home directory. NO password required. Home directory and <code>/tmp</code> get destroyed on logout. | |||
* confined administrator - Able to manage only a predefined set of services. | |||
The purpose of test day is to test these SELinux users in usual/specific use cases. | The purpose of test day is to test these SELinux users in usual/specific use cases. | ||
Line 49: | Line 40: | ||
echo > /var/log/audit/audit.log | echo > /var/log/audit/audit.log | ||
service auditd restart | service auditd restart | ||
service messagebus | service messagebus restart | ||
service restorecond restart | service restorecond restart | ||
setenforce 1 | setenforce 1 | ||
Line 73: | Line 64: | ||
The main goal is to test whether chosen confined user is able to do things which are allowed considering his/her SELinux role. And whether chosen confined user is not able to do things which are not allowed considering his/her role. For example if you log in as <code>xguest_u</code> and try to run <code>ping</code> or <code>sudo</code> in your favourite terminal you won't be able to run it. But if you won't be able to run '''Firefox''' then probably this is a bug. | The main goal is to test whether chosen confined user is able to do things which are allowed considering his/her SELinux role. And whether chosen confined user is not able to do things which are not allowed considering his/her role. For example if you log in as <code>xguest_u</code> and try to run <code>ping</code> or <code>sudo</code> in your favourite terminal you won't be able to run it. But if you won't be able to run '''Firefox''' then probably this is a bug. | ||
If you usually use another web browser than '''Firefox''', please continue to do so during the test day. Our | If you usually use another web browser than '''Firefox''', please continue to do so during the test day. Our intend is to test at least one program from each of the following groups: | ||
* mail clients (<code>mutt</code>, <code>alpine</code> etc.) | |||
* editors (<code>vim</code>, <code>emacs</code>, <code>nano</code> etc.) | |||
* networking tools (<code>ping</code>, <code>traceroute</code> etc.) | |||
* FTP clients | |||
* web browsers | |||
* audio / video players | |||
* samba mounting / tools | |||
* NFS mounting / tools | |||
* Java apps | |||
* office apps | |||
* printing / scanning tools | |||
* photo / camera manipulation | |||
* CD/DVD reading / writing | |||
* IM clients | |||
* flash players | |||
Issues found during the test day will help us to improve SELinux policy in future Fedora releases and derived distributions (e.g. RHEL and CentOS). | Issues found during the test day will help us to improve SELinux policy in future Fedora releases and derived distributions (e.g. RHEL and CentOS). | ||
== How to Report Problems == | == How to Report Problems == | ||
If you encounter problems (e.g. appl. A did not start, appl. B failed to do what you wanted, appl. C works only partially), try the following before | If you encounter problems (e.g. appl. A did not start, appl. B failed to do what you wanted, appl. C works only partially), try the following before following a bug | ||
# '''Permissive mode''' - switch to permissive mode (<code>setenforce 0</code>) and repeat your action. If SELinux denied your action in enforcing mode, it won't deny your action in permissive mode. Do not forget to switch back to enforcing mode (<code>setenforce 1</code>) before next testing. Root shell is needed. | # '''Permissive mode''' - switch to permissive mode (<code>setenforce 0</code>) and repeat your action. If SELinux denied your action in enforcing mode, it won't deny your action in permissive mode. Do not forget to switch back to enforcing mode (<code>setenforce 1</code>) before next testing. Root shell is needed. | ||
# '''{{command|ausearch}}''' - Run {{command|ausearch}} as advised below to see if new AVC messages appeared. Root shell is needed. | # '''{{command|ausearch}}''' - Run {{command|ausearch}} as advised below to see if new AVC messages appeared. Root shell is needed. | ||
Line 166: | Line 150: | ||
! G4<ref>need chmod 711 /home/USER and execute setsebool -P httpd_enable_homedirs=1</ref> | ! G4<ref>need chmod 711 /home/USER and execute setsebool -P httpd_enable_homedirs=1</ref> | ||
! G2<ref>I don't understand what does this step means, scp from localhost to localhost?</ref> | ! G2<ref>I don't understand what does this step means, scp from localhost to localhost?</ref> | ||
! <references/> | ! <references/> | ||
|} | |} | ||
Line 244: | Line 186: | ||
! [[User:czhang]] | ! [[User:czhang]] | ||
! G1.G5.G6.G7<ref>Firefox core dumped, but desktop printing is normal</ref>.B1~B5 | ! G1.G5.G6.G7<ref>Firefox core dumped, but desktop printing is normal</ref>.B1~B5 | ||
! G2<ref>Firefox core dumped,can't test. Maybe {{bz|512845}} describes this bug.</ref>.G3<ref>ntfs disks | ! G2<ref>Firefox core dumped,can't test. Maybe {{bz|512845}} describes this bug.</ref>.G3<ref>ntfs disks could be readable/writable, fat32&ext2/3/4 couldn't</ref> | ||
! G4<ref>no device</ref> | ! G4<ref>no device</ref> | ||
! <references/> | ! <references/> | ||
|- | |- | ||
! guaneryu | ! guaneryu | ||
! G.1 G.2<ref>Start firefox with 'firefox -safe-mode'</ref> G.6 | ! G.1 G.2<ref>Start firefox with 'firefox -safe-mode'</ref> G.6 B.1~B.5 | ||
! | ! | ||
! G.3~G.5<ref>no device</ref> | ! G.3~G.5<ref>no device</ref> G.7 | ||
! <references/> | ! <references/> | ||
|- | |- | ||
Line 258: | Line 200: | ||
! G.6<ref>can't start the NetworkManager</ref> | ! G.6<ref>can't start the NetworkManager</ref> | ||
! G.4~G.5<ref>no device</ref> | ! G.4~G.5<ref>no device</ref> | ||
! <references/> | ! <references/> | ||
|} | |} | ||
Line 342: | Line 236: | ||
|- | |- | ||
! guaneryu | ! guaneryu | ||
! | ! G1.G2.G3.G7.B1.B2.B4.B5 | ||
! | ! B3. | ||
! G4~G6<ref>no device</ref>.G8 | ! G4~G6<ref>no device</ref>.G8 | ||
! <references/> | ! <references/> | ||
|} | |} | ||
Line 418: | Line 275: | ||
! Skipped | ! Skipped | ||
! References | ! References | ||
|} | |} | ||
Line 489: | Line 310: | ||
! Skipped | ! Skipped | ||
! References | ! References | ||
|} | |} | ||
Line 530: | Line 333: | ||
! Skipped | ! Skipped | ||
! References | ! References | ||
|} | |} | ||
Line 576: | Line 371: | ||
! Skipped | ! Skipped | ||
! References | ! References | ||
|} | |} | ||
Line 590: | Line 379: | ||
# http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-one-confined.html | # http://selinux-mac.blogspot.com/2009/06/selinux-lockdown-part-one-confined.html | ||
[[Category:Test Days]] | |||
[[Category: |