But what am I, as the sysadmin, supposed to label things? Even if I know that I probably need to apply some labels, how do I find out what the policies are? What labels can interact with this program? You can turn to Google and find some incantations in a blog or forum post from ten years ago, but you can‘t easily see which labels a program is allowed to interact with or not. (If you even know to ask that question.)
Fedora comes with manpages. So for instance, say you want to place http pages outside of /var/www. Fedora comes with the selinux-policy-doc package, which gives you the httpd_selinux manpage:
It's a tad dense, but in the Sharing Files you can find a section explaining what context is used and for what. You can also look at the existing context, eg:
$ ls -laZ /var/www
total 4
drwxr-xr-x. 4 root root system_u:object_r:httpd_sys_content_t:s0 33 mar 17 17:32 .
drwxr-xr-x. 21 root root system_u:object_r:var_t:s0 4096 abr 18 10:57 ..
drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_script_exec_t:s0 6 mar 17 17:32 cgi-bin
drwxr-xr-x. 2 root root system_u:object_r:httpd_sys_content_t:s0 6 mar 17 17:32 html
That shows the list of what labels are allowed to do what to which labels, so run ps -Z to get the label of your process and grep the sesearch output for it, and that will tell you what labels it's allowed to interact with and in what ways.
selinux is generally pretty straightforward, but it has a reputation for being impenetrable which puts people of trying to learn it.
