Head-banging targets, please

[Mike Hearn]

On Thu, 30 Dec 2004 16:26:24 -0600, David Hart wrote:
> I need help understanding SELinux!

Me too! But I seem to be a bit further along, so I'll see if I can help.
 
> I've read just about every on-line SELinux article I can find, and I am
> getting progressively more confused as I read more.  Following along in
> these articles on a Fedora Core 3 system, reading documents written for
> Fedora Core 2 Test 3 and before, is confusing.  The older the document,
> the more my installation fails to match the documentation.  

Yes it is unfortunate that the documentation ages so quickly, but this is
I think unavoidable. SELinux is still quite a new technology and has a lot
of maturing to do.

It also doesn't help that Fedora have patched upstream SElinux extensively
in the process of actually making it usable, for instance they've made a
lot of stuff more automatic. I believe these patches are being folded back
in upstream, but the problem with doing it "upside down" like this is
that the official docs which most people find first do not correspond to
an actual FC3 installation, which is what most people are actually playing
with SELinux on.

I do not know why these patches weren't developed upstream then pulled
down as they became ready. I guess there are good reasons.

> And, the answers to some basic questions:
>   1) Why does a Fedora Core 3 installation, with SELinux "Active" or
>      "Warn", not install selinux-policy-targeted-sources?  I kept
>      pulling my hair out (little that there is) when trying to find:
>             /etc/selinux/targeted/src/policy
>      All the documents referred to this directory, and it was VERY
>      confusing not to find it.  This directory should at least be an
>      empty directory after a fresh install.

They're quite large and not needed for SELinux to function. It's
unfortunate that the docs assume it's installed, but it's quite a common
mistake (eg instructions that tell you to compile software assuming the
dev tools are installed, very common Linux newbie mistake).

>   2) Are the setools and setools-gui packages required to be used on a
>      SELinux enabled system?  If so, why are they not installed when
>      SELinux is installed?  In particular, I am very confused about how
>      to create new users and new groups.  It looks like I need to update
>      our in-house instructions to use seuseradd, seuserdel, etc. instead
>      of useradd and userdel?

I don't think they are required. On Fedora I think the standard commands
like su etc were patched to use SELinux automatically, so a standard
"useradd" should do the trick.

>   3) Where the heck is the SELinux audit file?  Try as much as I could,
>      I can't find it.  Every document references it, but none I have
>      found actually refer to it by path/filename.

If you mean where AVCs are logged that'd be /var/log/messages.

>   4) I know you guys discuss policy problems all the time, from the
>      viewpoint of their AVC log events, but I'd like to see what one of
>      these AVC log events looks like on my system.  

Here is one from mine:

Dec 30 22:40:39 littlegreen kernel: audit(1104446439.698:0): avc:  denied  { search } for  pid=4659 exe=/sbin/ldconfig name=lib dev=hdd2 ino=4244688 scontext=user_u:system_r:ldconfig_t tcontext=user_u:object_r:file_t tclass=dir

You can get the same error by creating a directory eg ~/.local/lib,
dropping a library in there then running:

/sbin/ldconfig -n .

which should create some magic symlinks for the linker to use, but with
policy as of December 30th 2004 this generates an AVC.

>   5) Does it make sense to have a Workstation installation with the
>      "strict" policy?  Under what circumstances?

Probably not. Strict seems to be under heavy development still. There seem
to be issues with targetted policy still judging by the above test! That
ldconfig command should not have failed.

> I am putting instructions together for people in my Lab on how to
> install and use Fedora Core 3.  One of the early lessons I want to
> document is some simple instructions on how to use SELinux.  Then, as
> other instructions are written for other Lab-oriented tasks, I would
> integrate SELinux into these instructions.  The people in the Lab are
> responsible for maintaining their various computers, so knowledge about
> SELinux appears necessary.  If I can't understand it and explain it to
> them, things are going to get messy.

For now I think it's best to ignore SELinux and assume it'll work in the
background, even if sometimes it doesn't for whatever reason. You need to
know about SELinux for effective system administration, or will in future,
and perhaps also for software development. But regular users should be
able to ignore it and just enjoy the benefits.

thanks -mike