A great article on why to use SeLinux

Daniel J Walsh dwalsh at redhat.com
Mon Mar 3 15:01:36 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Konstantin Svist wrote:
> klybear wrote:
>> On Thu, 28 Feb 2008 09:31:05 +0900, John Summerfield wrote:
>>
>>  
>>> The only penetrations I've seen arrived by ssh. I don't think selinux
>>> would have helped there; the sorts of restrictions I can think of would
>>> also prevent the user from doing what users ought be able to do such as
>>> download stuff (including email), sending email and so forth.
>>>     
>>
>> I'm new full time linux user, having temped with one or two distros in
>> the past, and I have to say that my experience of selinux has been
>> frustrating. I never had any Selinux issues with Ubuntu or Debian, but
>> since using Fedora, three of the four problems I've solved so far
>> turned out to be related selinux permissions and the fourth one I'm
>> still working on :)
>>
>>   
> 
> Although this is an unpopular opinion on this list, I have to second it.
> So far, I've tried selinux ~3-4 times, and every time it has been a big
> PITA:
> Until my latest attempt, something refused to work altogether, so I
> turned it off (that was back in the FC6 days and earlier). Granted, I
> sometimes choose weird options (reiserfs) and/or installed binary
> drivers (fglrx, ipw3945, etc...), but that's what users are expected to
> do (philosophy aside).
> 
I don't think most users are choosing reiserfs.  Most would have no idea
what it is.  And installing binary drivers has there own problems.  The
main bugs that effect users are executable memory checks which are
fairly easily turned off.
> Then, I've read up on it a little and decided to give it another try
> with FC8. After install, everything seemed okay (only because nothing
> was configured yet). It was only after I started to set up my stuff that
> I started getting a bunch of errors.
> After a few hours, I set it to warning-only mode (permissive?) and
> started collecting the errors.
> People mentioned on this list that selinux errors are fixed really fast
> - so I decided why not submit a few into redhat bugzilla?
> 
> I had submitted 10 selinux-related bugs in November, and there are still
> 4 being worked on (3 of which are still marked as NEW)
> 
Bugzilla #'s?
> - 2 of my 10 have been rejected:
> * 1 as CANTFIX -- becase, apparently, setroubleshoot is not meant to be
> read by mere mortals
> * 1 as NOTABUG -- my fault for installing a compiled version of wine
> instead of yum'd version (which was pretty far behind)
> 
> - 3 of them have been [sort of] fixed:
> * 1 as CURRENTRELEASE
> * 1 as VERIFIED  -- not sure why it's not closed, even though I've
> checked that it works with that date's -testing version of the selinux
> rules.. maybe it never made it into release?
> * 1 as MODIFIED -- assignee says it's fixed, but I have no way of
> verifying it, as the bug happened randomly
> 
> - 1 is still at NEEDINFO -- my fault, but I don't really have the time
> right now to re-enable selinux and sit around until it finishes
> relabeling all my files...
> 
I will admit that the squeaky wheel gets the oil.  So if you have
outstanding SELinux issues that have not been addressed, adding a
comment or pinging me will get my attention.  Some times bugzilla's get
lost in the weeds, especially when we are handling bugs on RHEL4, RHEL5,
Fedora 7, Fedora 8 and Rawhide.

AVC Messages give me a snap shot in time, and some times fixing one AVC
message just leads to the next.  And sometimes the reporter of the bug
can not give enough info to explain how the error happened.
> 
> It's true, a few of those got closed pretty quickly -- but it's the rest
> that I'm annoyed about.
> After a few weeks of waiting (and receiving the same error messages), I
> simply turned off selinux altogether.
> As far as I'm concerned, it's just not ready for prime time.
>
You can put policy in place to remove the problems quickly using

grep avc /var/log/audit/audit.log | audit2allow -M mypolicy

> setroubleshoot was definitely a step in the right direction, but it's
> still extremely hard to understand for the uninitiated. And when I
> understand what's going on, it's still hard to do something about it.
> 

Some of these ideas are difficult concepts to understand
(executable/writable memory - execmem, execstack, execheap, execmod).

But if anyone wants to suggest better explanations, we are all ears.
> 
> // END_RANT
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkfMEtAACgkQrlYvE4MpobPkqgCg4nxawB8kX5Q3XGPIaA44Kcw7
LuMAn1UG5pq0hmheQHxoBrcP0xHACjIB
=tONN
-----END PGP SIGNATURE-----

More information about the fedora-list mailing list