Fedora (again) forces me to disable SELinux

Sat Apr 5 11:04:07 UTC 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark wrote:
> Hey,
> 
> I just installed the Fedora 9 Beta release and am doing a full system
> update as we speak.
> While downloading the updates nothing is wrong.. it just downloads and
> that's it. But when installing the updates i get a ton of selinux
> notices!! and this is just a default Fedora 9 beta followed by a yum
> -y update.
> 
> Also another issue that i noticed was when looking at a flash
> animation in firefox.. when i want to play the animation selinux
> (again) drops in and tells me i can't. (or i need to run a command to
> get it working).
> 
> Now i've tried to run selinux on Fedora 7 and 8 for as long as
> possible just to see how long i can get around it.. i did some
> commands in that time as well but i always end up with disabling
> selinux.
> 
> I have no idea how other users are using fedora in a normal every day
> usage without disabling selinux.. i agree that a firewall should be in
> linux but selinux just doesn't seem mature yet (if it will ever be).
> Perhaps it's time to start considering to turn off selinux and remove
> it out of the fedora kernel completely? As long as it's blaming here
> when i install updates or simply browse the web than selinux gets shut
> down completely!
> 
> So.. how are you doing this?
> 
> 
> Btw.. justging from the selinux stats here:
> http://smolts.org/static/stats/stats.html it says that nearly 50%
> (48.4%) is turning off selinux. And my guess is that all fedora
> servers keep it on making up the other 50%.
> 
The AVC messages you are probably seeing is SELinux attempting to
confine firefox/nsplugins. Although you did not submit them.

During the Beta I have been turning on a transition boolean for
nsplugin.  This transition is from unconfined_t to nsplugin_t.  The
attempt here is to confine random code like flashplugin/acrobat and
other closed source programs that read random data from the internet
from attacking your machine.  I have to turn it on by default in
Rawhide/Beta to find out what problems it causes.  I will probably turn
it off when we release, to prevent it causing problems, for people like you.

I write about the change in

danwalsh.livejournal.com/15700.html

This is a potential real security gain from this, but we need to
experiment to figure out how we can benefit the greatest number of users.

I agree we need to tread lightly when adding new SELinux confinement, to
the users but we still have an ability that could really advance
computer security.

allow_execmod, allow_execstack, allow_execheap, allow_execmod have
caused many avc's to be seen by users, but they also can prevent buffer
overflow attacks.  Sadly badly coded applications have caused us to turn
a lot of these checks off by default.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkf3XKYACgkQrlYvE4MpobNo9QCg2QrrCMTnlu2t7tjv+Eefaf5w
foEAoKjX9c3UmowjVAsuCf5hZe4LmXA+
=PcR3
-----END PGP SIGNATURE-----