Do you use SELinux
Daniel J Walsh
dwalsh at redhat.com
Mon Jun 11 19:00:19 UTC 2007
Tim wrote:
> On Mon, 2007-06-11 at 14:07 -0400, Daniel J Walsh wrote:
>
>> If the setroubleshoot tells you to relabel a file/directory try it.
>> If it works then don't report a bug unless it returns.
>>
>
> So a bug, somewhere, but not with SELinux (it's denying as told to)?
>
> In those cases where something does need a rule change, or special
> contexts applied to some locations, who determines the master rules?
> SELinux policy makers?
Yes, although often in consultation with the package maintainers.
> The builder of the package that wants more than
> it's getting?
>
Usually they will get what they want. Although we might suggest they
change the way the app works.
> I mean that in the cases that aren't where a package should get rebuilt
> to not want to do what it's being denied. That's obviously a bug with
> those packages.
>
>
Denial messages can happen for a variety of reasons.
Badly written policy, (Mistakes in policy or code paths being crossed
policy writer did not know about it.)
Badly written App
User mis labeling
User changing the configuration and not fixing the labeling or
booleans. (ftp can be run in two ways anonymous ftp or access to users
home dirs. If you change the configuration you need to tell SELinux
about it.)
System becoming mislabeled (Upgrading from fc6-fc7)
You are being hacked
More information about the fedora-list
mailing list