SElinux

Robert Nichols rnicholsNOSPAM at comcast.net
Tue Apr 4 19:57:17 UTC 2006


Matthew Saltzman wrote:
> On Tue, 4 Apr 2006, Robert Nichols wrote:
> 
>> Changing file contexts is very simple.  Knowing what to change a
>> file context _to_ in order to fix any particular denial is not so
>> simple.  And fixing the root problem that is repeatedly causing
>> similar denials requires quite a bit of knowledge and analysis.
> 
> 
> I've seen references to audit2allow that make me think this tool should 
> help identify what needs to be changed to fix any particular denial. 
> Haven't investigated in detail yet.

There is simply no way for audit2allow to know what is the
appropriate change.  Should executables with this type always be
allowed this kind of access?  Does the executable have the wrong
type?  Does the target file have the wrong context, and if so,
how did it get that way and what needs to be done so that in the
future similar files will get the correct context?  The
immediate problem can be circumvented by changing any of the
three parameters, but knowing which change is "right" is a bit
more complicated.

And that's just for users.  The application developer has a
whole additional level of complexity to consider if his app.
finds itself "targeted".

To make SELinux work for the wide variety of things done on
desktop machines it needs a staff of highly trained volunteers
willing to donate their time to analyze each problem and make
and maintain the appropriate changes to the standard policy on
each system.  And fix it RIGHT NOW, please, I need to finish
building this ISO and mail out the CD-R before the Post Office
closes today.  OK, "setenforce 0" is the quickest fix.  Pardon
me if I somehow neglect to change that back any time soon.

-- 
Bob Nichols         Yes, "NOSPAM" is really part of my email address.




More information about the fedora-list mailing list