[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Another selinux rant

From: Andrew Farris <lordmorgul gmail com>
To: Development discussions related to Fedora <fedora-devel-list redhat com>
Subject: Re: Another selinux rant
Date: Fri, 04 Jan 2008 14:52:57 -0800

Jonathan Underwood wrote:

The problem is: setroubleshoot teaches average users that avc denials
come about due to bugs in selinux policy. If there was some massive
security problem right now on my machine causing avc denials I'd
probably react by filing a stack of bug reports. This is the
fundamental problem as it stands with SElinux. If it was working, we
would be in a situation where the first responce to an avc denial is
"OMG there's a security issue with something running on my machine, I
must fix that".

True enough, but that (trusting denials are legitimate breaches) is a goal thatis not necessarily here yet... while there are still bugs being filed in policyyou (or 'average users' such as me and most rawhide testers) have very littlechance of knowing which is which.

That doesn't mean it is not working... a security problem thats generatingdenials is only a problem per se when you go and disable selinux thinking 'itsjust a bug I can ignore these and let it happen'.

As long as a bug is filed, and your machine is still enforcing, and someonehasn't found a way around the denials, either the policy will change or Dan isgoing to post back to that bug report that what is happening is definitely notgoing to be allowed by policy. Thats when you go fishing for your security issue.

Most people probably just go and disable it, assuming denials were fromsomething they were trying to do and a bug prevented them from doing it. Ithink its very important that rawhide testers be using selinux though becausethere is no way to prevent policy bugs from getting to release (and the broaduserbase from then disabling selinux...) otherwise.


--
Andrew Farris <lordmorgul gmail com> <ajfarris gmail com>
 gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----                                                                       ----

Follow-Ups:
- Re: Another selinux rant
  - From: Jonathan Underwood
- Re: Another selinux rant
  - From: Casey Dahlin

References:
- Another selinux rant
  - From: Ed Swierk
- Re: Another selinux rant
  - From: Eric Paris
- Re: Another selinux rant
  - From: Ed Swierk
- Re: Another selinux rant
  - From: Tomasz Torcz
- Re: Another selinux rant
  - From: Ed Swierk
- Re: Another selinux rant
  - From: John Dennis
- Re: Another selinux rant
  - From: Jonathan Underwood

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]