first encounters with SELINUX, with some suggestions

David Malcolm dmalcolm at redhat.com
Tue Nov 9 16:46:55 UTC 2004 

On Tue, 2004-11-09 at 13:12 +0100, Thomas Vander Stichele wrote:
> Hi,
> 
> I upgraded to FC3 this weekend.  I always try and go with the defaults
> on a new install, because when fielding bug reports for my various
> projects I prefer to make the defaults work first so bug reporters and I
> have a common ground to work with.
> 
> Since the default SELINUX policy is "targeted" I chose this, bracing
> myself :)
> 
> My first task was getting all my locally hosted websites to run.
> 
> I have a few virtualhosts in my /home/thomas/www directory.  When
> starting apache, the service script complains about these directories
> missing.
> 
> Please note that I have a separate /home partition on hda6; I don't know
> if this affects any policy (yet).
> 
> The system log file shows things like:
> audit(1100000312.370:0): avc:  denied  { search } for  pid=12350
> exe=/usr/sbin/httpd name=thomas dev=hda6 ino=557094
> scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t
> tclass=dir
> 
> I read through a few howto's, including
> http://fedora.redhat.com/docs/selinux-faq-fc3/index.html
> (which has all of its internal links broken, can somebody please fix
> this, it's quite annoying !) and the writing policy howto mentioned
> herein: https://sourceforge.net/docman/display_doc.php?
> docid=21959&group_id=21266
> 
> The latter has a paragraph about where policy is stored, and mentions
> Makefiles and other stuff in /etc/selinux.  None of this is present on
> my FC3 system, so I'm assuming here that Red Hat has changed some things
> from the default SELinux which obliviate this step, but I have way of
> finding out how.  Am I missing something ? Maybe there's a package I
> need to install ?
> 
> I decided to learn about SELinux through the equivalent of poking at it
> with a large stick.
> I started adding some policy
> to /etc/selinux/targeted/contexts/files/file_contexts, adding a line
> reading:
> 
> /home/thomas/www
> system_u:object_r:httpd_sys_content_t
> 
> The former howto tells me I can run
> /sbin/fixfiles relabel /home/thomas/www
> 
> but that command just gives me this:
> Usage: /sbin/fixfiles {-R rpmpackage[,rpmpackage...] [-l logfile ] [-o
> outputfile ] |check|restore|[-F] relabel}
> 
> It would seem to me that what I issued was correct, both from the howto
> as well as the usage output.  Clearly I'm missing something else here.
> 
> So I tried this:
> restorecon -v -R /home/thomas/www
> 
> and that did something.  How do these two tools differ ? Why does the
> first not work as advertised.
> 
> Using ls -alz /home/thomas I seem to get the impression this security
> context has been adopted.  Still, apache refuses to see the directory.
> 
> So I read some more of the howto.  There's a binary called audit2allow
> that could help me generate rules.  So I run it, restart apache a few
> times, but the binary doesn't print anything, not even with -v.  Maybe
> I'm using it wrong, but there's no way of finding out if I am.
> 
> 
> At this point, I'm pretty much stuck.  So if any kind soul wants to
> throw me a bone, please do.
> 
> There are some things I find troubling and would want to offer
> suggestions for.
> 
> - I am a fairly typical developer.  I'd like to understand my system and
> to do so I read documentation, look at examples and try it out.  Yet the
> barrier to entry to selinux is pretty high, which seems bad for
> something Red Hat wants to be finely integrated into the distribution.
> 
> Maybe it would be a good idea to write a simple "getting started" guide
> explaining how to do two or three common tasks (I'd say "serving web
> pages from a nonstandard directory" would be one of them), making sure
> that EVERY STEP works.  Right now the howto contains things that do not
> work as advertised, and links to docs that reference stuff that is not
> present, without a mention close by where to get it.
> 
> - A lot of developers I know, including a bunch at Red Hat, *turn off
> SELINUX entirely*.  IMO, something that gets pushed at heavily as this
> should be dogfooded by the development team at Red Hat completely, so
> they encounter firsthand what it means and how to fix basic issues.

FWIW I have three machines here, of which two have SELinux always on in
enforcing mode, and the third sometimes on (dogfooding Rawhide here, so
sometimes things break...).  They're all using the targeted policy.

> Knowledge spreads through increasingly growing circles starting from the
> center.  If all RH developers, who have "easy" access to the SELINUX
> people at Red Hat, were to use it, they'd have basic knowledge about it.
> When the next circle of developers - outside of redhat, but having links
> to inside - gets hit, they do the same.  And so on.
> 
> It looks to me like the first circle is already completely broken, hence
> halting the dissemination of information and increasing the annoyance
> level outside of Red Hat.  It won't be long before sysadmins and users
> ignore the default and turn it off entirely.
> 
> - The documentation is not easy to find, out of date, and doesn't match
> the system.  IMO, if FC3 gets released, the howto for something as basic
> as SELINUX should be uptodate and easy to find.
> 
> As it is today:
> - http://fedora.redhat.com has one link to SELinux, which links to a
> project page that seems to be from before FC2 (!) and has no mention of
> documentation
> - The "docs" link below that links to the docs as a project, not to
> docs.  Maybe not that bad, but confusing.
> - The docs link on the left links to docs, where SELINUX is listed, and
> the link mentions that it is for FC3 test 2
> - When you click it, the docs say it is for test *3*
> - all internal links in that doc are broken
> - some commands in that doc do not work: fixfiles, audit2allow
> - the document is more of a FAQ than a Howto, a simple "getting started"
> would help a lot.
> 
> I understand that FC3 is relatively fresh and that not everything can be
> in place from the start.
> I just want to get a good picture of where SELINUX is at and how to
> solve issues, so that I can try to fix stuff myself, and explain to
> other people.  Otherwise I'll just have to turn off SELINUX myself, and
> recommend the same to others when questions are asked about it.
> 
> Feel free to comment, both on the particular issue at hand as well as
> the general issue of entry barriers to selinux.
> 
> Thomas
> 
> Dave/Dina : future TV today ! - http://www.davedina.org/
> <-*- thomas (dot) apestaart (dot) org -*->
> I will play you like a shark
> And I'll clutch at your heart
> I'll come flying like a spark
> To enflame you
> <-*- thomas (at) apestaart (dot) org -*->
> URGent, best radio on the net - 24/7 ! - http://urgent.fm/
> 
> 
>

More information about the fedora-devel-list mailing list