Packages
--------
policycoreutils
- restorecon

policycoreutils-python
- semanage

setroubleshoot

yum tips
---------
yum list installed | grep (...)
yum provides (command)

checking/setting mode of SELinux
---------------------------------
3 modes:
Diabled    -- off
Permissive -- logs violations, but doesn't stop them
Enforcing  -- logs and stops violations

getenforce           -- get current mode of SELinux
setenforce           -- change current mode of SELinux (can't disable)
/etc/selinux/config  -- set default mode for system

Description
-----------
Mandatory Access Control on top of the Discretionary Access Control implented
by file permissions

SELinux applies labels to every file, process, directory, and port
Four kinds of labels, providing a lot (too much) flexibility:
- user
- role
- type <<--!!!!THE MAIN ONE!!!!
- sensitivity

SELinux also has a set of booleans that govern operations of the system. Kind of
like the rules that govern what the labels mean.

A 'policy' is all of the settings (booleans and default labels) of what can do
what on a system. The default policy is called 'targeted'
(set in /etc/selinux/config)

Actually policy files are located in /etc/selinux/targeted, but you probably
shouldn't ever have to interact with them directly.

yum list installed | grep selinux
- see what other policies are available on your system

yum search selinux-policy
- see what other policies are available in your repo

Reading labels
-------------------
ls -laZ
-rw-------. root root system_u:object_r:admin_home_t:s0 anaconda-ks.cfg

ps -efZ
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 user 1880 1876  0 18:08 ? 00:00:00 sshd: user@pts/0

Interacting with policy and labels
-----------------------------------
semanage        -- handy tool for querying and changing default policy (and more)
chcon           -- changes the current label of an item (but not in the default policy)
restorecon      -- changes labels back according to the default policy
getsebool       -- list boolean values
setsebool (-P)  -- set boolean value
