user guide: troubleshooting chapter

user guide: troubleshooting chapter

[Murray McAllister]

Hi,

I am having trouble organizing a troubleshooting section. My current ideas:

Top Three Causes of Problems: <http://danwalsh.livejournal.com/22347.html>

Searching for and Viewing SELinux Denials

* which log files are used.
* ausearch, sealert, setroubleshoot-gui

Analyzing SELinux Denials

* Description of each field: comm, path, scontext, tcontext, etc.
* <http://fedoraproject.org/wiki/SELinux/Troubleshooting/AVCDecisions> 
"Troubleshooting/AVCDecisions"

Why was Access Denied?

* auditwhy.
* DAC rules.

Fixing Problems

* fedora-selinux-list, Red Hat Bugzilla, audit2allow, chcon, semanage 
fcontext, setsebool.
* Permissive Domains: <http://danwalsh.livejournal.com/24537.html>
* Booleans for Services (HTTP, Samba, FTP, MySQL, rsync).

Thanks for any ideas.

Regards.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: user guide: troubleshooting chapter

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 326 bytes --]

On Wed, 2008-10-29 at 13:07 +1000, Murray McAllister wrote:

> Thanks for any ideas.

Issues often happen due to bad labels. You may want to touch on
autorelabel, fixfiles, restorecon and invalid types like unlabeled_t,
file_t etc. The first thing i always check is to see if the source and
target context look valid.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: user guide: troubleshooting chapter

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Murray McAllister wrote:
> Hi,
> 
> I am having trouble organizing a troubleshooting section. My current ideas:
> 
> Top Three Causes of Problems: <http://danwalsh.livejournal.com/22347.html>
> 
> Searching for and Viewing SELinux Denials
> 
> * which log files are used.
> * ausearch, sealert, setroubleshoot-gui
> 
> Analyzing SELinux Denials
> 
> * Description of each field: comm, path, scontext, tcontext, etc.
> * <http://fedoraproject.org/wiki/SELinux/Troubleshooting/AVCDecisions>
> "Troubleshooting/AVCDecisions"
> 
> Why was Access Denied?
> 
> * auditwhy.
> * DAC rules.
> 
> Fixing Problems
> 
> * fedora-selinux-list, Red Hat Bugzilla, audit2allow, chcon, semanage
> fcontext, setsebool.
> * Permissive Domains: <http://danwalsh.livejournal.com/24537.html>
> * Booleans for Services (HTTP, Samba, FTP, MySQL, rsync).
> 
> Thanks for any ideas.
> 
> Regards.
> 
> -- 
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
> with
> the words "unsubscribe selinux" without quotes as the message.
Looks good.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkLCs8ACgkQrlYvE4MpobNTbACgq+MmD27rqT5DjcIC2htNUxSX
UqAAniiRX0w3cAcoQcmdGkgCzzHNw5S/
=uR6c
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.