Fedora (again) forces me to disable SELinux

Stewart Adam maillist at diffingo.com
Sun Apr 6 18:51:56 UTC 2008 

As I said, I don't use SELinux extensively so that's why I don't know
all the tools/solutions that are out there. But just for the record,
this was a home server (so obviously not paid) and I did do research - I
wrote a howto on turning audit messages into custom policy rules/modules
once I figured out how to use audit2allow and semodule.

First, let me say that I agree with you - SELinux is a good thing, and
Google makes solving a lot of problems pretty easy... As long as you are
comfortable with the command line or the SELinux tools. My point wasn't
that SELinux is bad, or that people can't use system-config-selinux.
Rather, I'm trying to point out that from the end-user point of view
Fedora is broken right now, nevermind once their system has been
compromised.

Macs and Windows can share documents in a Public folder quite easily.
Both have their fair share of problems, but forget about that for now.
Fedora offers various tools to make file sharing easy and painless. If
it doesn't work when a user has added shares and click OK, Fedora
appears to be broken to them. Instead of dealing with complicated audit
messages, doing an hour or two of research to find out what each means,
yes - that "red button" accompanied by a clear, easy to understand
message may be a good thing. If a user wants to share a path in /home
and we know that causes a potential conflict, then a simple solution is
to warn the user about it instead of letting it fail:
_____________________________________________________________________________________________
| One or more of the shares you have configured are located in the /home
directory. Sharing |
| files in /home may be blocked by SELinux. Would you like to grant
Samba the permission to |
| share files in /home?
|
|
________________________________________________________________________[ No ]____[ Yes ]__|

It comes down to this: The end user likes to have things just work.
Developers want to do things properly (ie, fast, secure and efficient).
If we can integrate SELinux with our configuration tools so the two are
aware of each other then problem solved.

Stewart

On Sat, 2008-04-05 at 10:06 +0200, Matej Cepl wrote:
> On Fri, 04 Apr 2008 17:17:43 -0400, Stewart Adam scripst:
> > I haven't extensively used SELinux in a long time so excuse me if this
> > already exists, but if we are to keep this enabled by default and want
> > it to be attractive to users I think we need to spend more time on tools
> > like setroubleshoot. Two problems I had when I played with SELinux a few
> > months ago was sharing content in /home via Samba, and /var/www/html via
> > Apache - Both of which are relatively trivial in Mac or Windows. Apache
> > +Windows less so, but at least it doesn't require the command line.
> 
> OK, so this message sent me into overdrive mode (and sorry, if the tone 
> of my reply will show it). This is really the example message of somebody 
> who didn't get it or you had really bad day when you wrote it (yes, we 
> all have such days).
> 
> So, let me restate the situation if I understand it correctly -- you are 
> administering a network of computers with a Linux server (you may be even 
> paid to do it, who knows?) and you are not willing to type into Yahoo! 
> (or Google, results are almost the same) "samba selinux home". And guess 
> what is the first hit in the results? And if you take a look at http://
> fedoraproject.org/wiki/SELinux/samba you may find out that actually this 
> is web representation of manpage selinux_samba(8) (who would guess such 
> name?) which is already present in your box. So, that's the one.
> 
> Then we have this program called system-config-selinux (how unusal name 
> for the system configuration program in Fedoraland, isn't it? Yes, it is 
> new in Fedora 8, before that it had different name). And if you switch to 
> "Booleans" table and write "samba" in the search box, what do you see? 
> "Support SAMBA home directories" and many other samba related switches (I 
> am not sure which way your sharing of /home directories goes, so I am not 
> sure, which is the best for you). Hmm, isn't that interesting?
> 
> OK, so you don't use Google, IRC (#fedora or #selinux channels on 
> FreeNode), installed manapges, or many other methods how to get the 
> information. So, what's your reaction? "SELinux is too complicated and it 
> should be switched off by default!". No, sir, if you want to screw up 
> security of computers you manage, YOU should switch off security features 
> present there, so that YOU are responsible for the consequences. 
> Otherwise, we would have hords of people with hijacked and broken-into 
> boxes screaming here how Fedora is broken, because it doesn't protect 
> their computer against known security threats.
> 
> </mode type="aggressive">
> 
> (I haven't understood what's your problem with Apache, so I cannot 
> comment on that.)
> 
> You don't have to know that your other idea (red button "Just allow it!") 
> is really not a great idea either. On the one hand you have Internet full 
> of testimonies of people who hate Windows Vista for torturing them with 
> dialog boxes "Can I do it? [Yes] [No]". On the other hand, if you are 
> interested, read this http://www.cs.auckland.ac.nz/~pgut001/pubs/
> phishing.pdf -- it is a good read.
> 
> Good luck with your administering!
> 
> Matěj
>

More information about the fedora-devel-list mailing list