On Sun, 2006-04-02 at 09:31 +0200, A.J. Bonnema wrote:
> Michael Wiktowy wrote:
> > I just fixed my problem with
> > chcon -t texrel_shlib_t /usr/lib/libsipphoneapi.so.0.78.20060211
> > I am not exactly sure what that does though.
> I wonder how many people do these statements without understanding the
> implications? How secure would that be?
I see your point and agree with it except that you can consider...
the target is /usr/lib/libsippphoneapi.so...
so the adjustment is made to one specific file for one specific purpose
and the whole of selinux remains intact beyond that. That is
All this conversation is starting to make me feel a little bit like a lab-rat ;]
Beyond all the philosophical design considerations and discoverability issues, did I do "The Right Thing" here? Also, could someone explain what the textrel_shlib_t context implies over the original lib_t or point me somewhere that does so clearly?
It is not a matter of understanding the subject here but rather having a jargon dictionary for these particular context policies. As I understand it, you could have any number of contexts based on lower level rules that are all read from policies that are loaded on boot. Names like lib_t and texrel_shlib_t may be nice short-hand and may be obvious once you know how to parse them but without that initial glossary of contexts, it is tough to gain traction in understanding SELinux. One can sift through all the policy files (if I knew were those were kept) but that is the same as reading the source to understand how the application works. It is a high barrier to entry in understanding how to apply premade security infrustructure.
What is needed in the end is a simple document for end users stating:
- here is a list of things that SELinux can control
- here is a list of contexts that Fedora has implemented
- here is what each context controls and which kinds of files or processes they are applicable to
If such a document exists, it is not easily found for someone who doesn't know the right buzz-words to search for. The SELinux FAQ is wonderful but it is *a lot* to digest and contains a great deal of detail that is hard to slog through.
Just one lab-rat's opinion.