Trying SELinux again on CentOS 5.1 - HOPELESS

Robert Nichols rnicholsNOSPAM at comcast.net
Tue Mar 4 05:32:05 UTC 2008 

Arthur Pemberton wrote:
> On Mon, Mar 3, 2008 at 9:34 PM, Robert Nichols
> <rnicholsNOSPAM at comcast.net> wrote:
>> Arthur Pemberton wrote:
>>  > On Mon, Mar 3, 2008 at 6:25 PM, Robert Nichols
>>  > <rnicholsNOSPAM at comcast.net> wrote:
>>  >> Daniel J Walsh wrote:
>>  >>  > Simplest thing is to run this through
>>  >>  > # grep avc /var/log/audit2allow | audit2allow -M mypol
>>  >>  > # semodule -i mypol.pp
>>  >>  >
>>  >>  >
>>  >>  > You might want to first update to the U2 preview policy, available on
>>  >>  > http://people.redhat.com/dwalsh/SELinux/RHEL5
>>  >>
>>  >>  This is turning into a worse disaster than I would have imagined.
>>  >
>>  >
>>  > I have SELinux running in targeted mode on two machines with Centos5
>>  > without issue. What exactly is the problem you are having?
>>
>>  You really want to know??  OK, there's probably enough here to get
>>  me banned from the list, but here it comes ... :
> 
> Lets abstract this issue a bit...
> 
> 1) what exactly are you trying to do with the machine
> 2) have you installed any software outside the centos repos?
> 3) when did these problems start?
> 
> I hope you realize that your situation is not the norm. A lot of
> people run RedHat/Centos servers wit SELinux so it is definitely not
> mission impossible.

Have you actually read any of this thread?  As I said before, SELinux
is likely to be just fine on a server doing the same fairly limited
things over and over, or on a desktop that runs a Linux distribution
without modification or augmentation and preferably with a user who
doesn't do anything sinister like run commands from a shell prompt.
I have a lot of 3rd party software installed, plus scripts like my
/etc/dhclient-exit-hooks and /sbin/ifup.local that do things
important to me when network interfaces are started, a version of
hplip taken from Fedora Core 6 because it supports my printer and
the version supplied with Centos 5.1 does not, video editing and DVD
authoring software, plus a lot more.  If all I wanted to do was browse
the Web and read e-mail I'd just run MS-Windows.

I decided to take a crack at getting SELinux to run because I'd heard
good things about how much better and easier to use it was since I'd
last tried it back in FC-3.  Initially, I was pleasantly surprised.
I have some oddities in my configuration, such as home directories in
/var/home (bind-mounted to /home) and expected that sort of thing to
be a big problem.  What I found was that semanage made it really,
really easy to set up the file contexts to make that work.  Then I
started running into the silly policy restrictions that make it almost
impossible to make basic things like shell scripts work because, my
God, you can't have commands sending their output to a file!!  That
sort of thing is just not allowable!!  About the time I analyze those
problems enough to find that there might be just a few underlying
causes that a little expert help could solve, I start seeing things
like the boot and shutdown AVCs that aren't related to anything I've
changed at all.

As far as I can see, nothing has changed since the bad old days.  You
can (a) use SELinux on a server and have a reasonable chance of
working out the problems for the limited set of things a server is
called upon to do, or (b) use it on a desktop provided you install
the distribution as it comes and don't add or modify anything, or
(c) don't run SELinux at all.  I am firmly back in category c.  At
this point I've uninstalled the policy and support tools, returned to
my previous setting of selinux=0 as a kernel boot parameter, and
cleared the security ACLs from all inodes on my filesystems.

If I take another look, it'll probably be around FC-10 or FC-11.

-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

More information about the fedora-selinux-list mailing list