Selinux

Bill Davidsen davidsen at tmr.com
Sun Nov 30 01:05:37 UTC 2008 

Wolfgang S. Rupprecht wrote:
> Bill Davidsen <davidsen at tmr.com> writes:
>> That's a bit like asking how to turn off the burglar alarm so
>> break-ins won't be so noisy. The correct question is how to set
>> attributes correctly so google earth will run, and the answer may be
>> in the SElinux report, as it often is. Real the report and see if it
>> gives you a command to run which solves the problem.
> 
> ;-)
> 
> Good analogy, extra style points for making one feel guilty for
> turning off something that sounds like it should be a good thing to
> have on in general.
> 
Much easier to have on in distribution configuration on servers, not doing 
bizarre stuff. My mail, dns, dhcp servers run fine that way. Clients doing 
unusual stuff, not so much.

> Each distribution, since I think FC4, I've tried to run selinux and
> after a short time decided it simply wasn't worth the trouble.  On
> anything more complicated than a client-only, stand-alone system, I'd
> get low-probability failures creeping out of the woodwork forever.
> Selinux as currently delivered is a better DOS than any outside
> attacker has ever inflicted on WSRCC in the one and a half dozen years
> it has been on the net.  (Now, I obviously still believe in chrooted,
> internet-faceing programs run as powerless per-daemon users, and I'm a
> firm stickler in no non-RSA/DSA remote logins.  I just don't like my
> own system DOS-ing me randomly.)
> 
> This time on F10 selinux lasted exactly 15 minutes.  The first time I
> tried to log in as an NFS automounted user, I realized that things
> have gotten worse in terms of working for me out of the box.  Sure I
> could fight the issue and use the selinux tools to adjust the
> permissions, but why bother, it is clear this hasn't been well tested
> and using selinux will be an uphill battle with a pre-alpha quality
> permissions database that I'll essentially be maintaining on my own.
> 
Haven't done amd home directories since SonOS (yes, the old 68030 based SunOS 
based on BSD), so I can't say, but having had similar issues bind mounting a 
home directory I know what you mean, the stock selinux doesn't like that.

> I strongly suspect that Red Hat doesn't run with selinux enabled on
> their corporate machines.  From how rickety everything still is, it
> just doesn't feel like they eat their own dog-food.  How can NFS-ed
> home directories possibly not work if they did?  Folks from RH are of
> course encouraged to tell me how wrong I am.
> 
I haven't had any problems with system which permanently mount filesystem on 
local disk. That's a good bit of my usage, and all my server usage, the only 
thing worse than single points of failure is multiple single points of failure, 
and proper redundancy is expensive.

I don't have an answer for your automount issue, my bind mount (in rc.local) is 
followed by some selinux blessing, which I took directly from the warning in 
active but not enforcing mode. After I sprinkle the mount with holy water it works.

-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

More information about the fedora-list mailing list