SELinux blocking Gizmo on FC5

Michael Wiktowy michael.wiktowy at gmail.com
Sun Apr 2 21:30:29 UTC 2006 

On 4/2/06, Craig White <craigwhite at azapple.com> wrote:
>
> On Sun, 2006-04-02 at 09:31 +0200, A.J. Bonnema wrote:
> > Michael Wiktowy wrote:
> > > I just fixed my problem with
> > > chcon -t texrel_shlib_t /usr/lib/libsipphoneapi.so.0.78.20060211
> > > I am not exactly sure what that does though.
> > Craig,
> >
> > I wonder how many people do these statements without understanding the
> > implications? How secure would that be?
> ----
> I see your point and agree with it except that you can consider...
>
> the target is /usr/lib/libsippphoneapi.so...
>
> so the adjustment is made to one specific file for one specific purpose
> and the whole of selinux remains intact beyond that. That is
> significant.


All this conversation is starting to make me feel a little bit like a
lab-rat ;]

Beyond all the philosophical design considerations and discoverability
issues, did I do "The Right Thing" here? Also, could someone explain what
the textrel_shlib_t context implies over the original lib_t or point me
somewhere that does so clearly?

It is not a matter of understanding the subject here but rather having a
jargon dictionary for these particular context policies. As I understand it,
you could have any number of contexts based on lower level rules that are
all read from policies that are loaded on boot. Names like lib_t and
texrel_shlib_t may be nice short-hand and may be obvious once you know how
to parse them but without that initial glossary of contexts, it is tough to
gain traction in understanding SELinux. One can sift through all the policy
files (if I knew were those were kept) but that is the same as reading the
source to understand how the application works. It is a high barrier to
entry in understanding how to apply premade security infrustructure.

What is needed in the end is a simple document for end users stating:
- here is a list of things that SELinux can control
- here is a list of contexts that Fedora has implemented
- here is what each context controls and which kinds of files or processes
they are applicable to

If such a document exists, it is not easily found for someone who doesn't
know the right buzz-words to search for. The SELinux FAQ is wonderful but it
is *a lot* to digest and contains a great deal of detail that is hard to
slog through.

Just one lab-rat's opinion.

/Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20060402/1c1cb6fb/attachment-0001.htm>

More information about the fedora-list mailing list