[Fwd: Wikipidia - Goodbye Red Hat and Fedora]

David P. Quigley dpquigl at tycho.nsa.gov
Wed Oct 15 15:12:12 UTC 2008 

On Wed, 2008-10-15 at 12:45 +0200, Dominik 'Rathann' Mierzejewski wrote:
> On Wednesday, 15 October 2008 at 00:36, David P. Quigley wrote:
> > On Tue, 2008-10-14 at 11:32 +0200, Dominik 'Rathann' Mierzejewski wrote:
> > > SELinux is another subject for a good rant. Example: I created /var/log/dovecot,
> > > chowned it to dovecot user and configured it to put its logs there. Bang!
> > > SELinux denial. There's no easy way to fix it permanently either and SELinux
> > > tools documentation is akin to arcane knowledge. Unless you're familiar with
> > > all the terminology, you won't understand it.
> > > 
> > [snip]
> > 
> > Permanent fix which survives relabels.
> 
> And how do you know that? I can't find anything about it in man semanage.

The new documentation being written addresses this. Also I think Dan
rewrote the man pages recently so you will probably see changes to them
in the next version of Fedora.

> 
> > /usr/sbin/semanage fcontext -a -t dovecot_var_log_t /var/log/dovecot
> > /sbin/restorecon -v /var/log/dovecot
> 
> You mean there's no generic "allow-owner-to-write-in-their-own-directory"
> setting? That's just great. So how do I find out the magic incantation
> for another application?

There is no concept of "owner" in SELinux. The permission checks aren't
based on the identity of the user but rather the program that is being
executed. Trying to find out the correct type of a file is something
that is a little difficult at the moment. Once again this comes down to
documentation. It would be nice to have a list of each of the
applications covered by the policy, their types (listed by application)
and what their purposes is. If we had a document that said the targeted
policy covers dovecot and here are the types for it and their meaning it
would make life easier for people. This way you could have lookedup
dovecot and its logfile type and seen it was dovecot_var_log_t. I will
add this onto the list of things for the documentation writer to look
into but you are right as of the moment it is a little difficult to
figure it out.

However since that list doesn't currently exist (at least not that I
know of) the way I found the correct type for you was to load up the
loaded policy in apol and look for all the types that started with
dovecot. 

> 
> > SELinux documentation has been lacking in the past but Red Hat has hired
> > someone to write proper documentation for SELinux and it is getting
> > better every day. In an article on LWN I answered this question[1]. In
> > addition to this someone also linked the page below which contains quite
> > a bit of information that this person gathered when learning about
> > SELinux[2]. If you are willing to take the time to go through some of
> > his stuff you will realize SELinux really isn't as difficult as people
> > make it out to be, it's just that its not what they are use to. You
> > already know to set one set of permissions on the file when you create
> > it you just have to realize there is a type that needs to be set as
> > well.
> > 
> > [1]http://lwn.net/Articles/290168/
> > [2]http://equivocation.org/selinux
> 
> Ah. Isn't that obvious? An LWN article and some random website as the canonical
> source of SELinux documentation. Of course that's the first place anyone will
> look.
> 
> At least put it in policycoreutils package docs. There's nothing apart from
> manpages there and these are quite uninformative. Or put those articles (or
> link to them) on Fedora wiki. Please.

Well there is also SELinux by Example by the Tresys folks. That is
considered one of the canonical sources of information about SELinux.
Also there are the foundation papers on the NSA website you can read as
well. I may sound like a broken record with this but a lot of this stuff
will be addressed once the documentation writer releases the new
documentation.  The current state of documentation isn't really well
organized but its out there and hopefully once all the new docs are
released it will provide all the information people need in a
centralized place. If documentation is the main hurdle for people using
SELinux we hope that the new docs will make understanding SELinux easier
for all those who want to learn it. 

If there are any topics you would like to see in the documentation feel
free to send them to me and Ill add them onto the list for the
documentation writer. The current list can be seen at the URL below[1].
If you are interested in the current state of the documentation work you
can look at the SELinux mailing list archives for messages from Murray
McAllister[2]. He posted the initial drafts of the documentation and
there are numerous responses to his postings with addition information.
It's worth noting that these documents are still drafts so they might
not be 100% correct at the moment and will probably contain more
information in their finished form. 

Dave

[1]http://selinuxproject.org/page/Documentation_TODO
[2]http://marc.info/?l=selinux&w=2&r=1&s=McAllister&q=b

More information about the fedora-devel-list mailing list