Re: SElinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: For users of Fedora Core releases <fedora-list@xxxxxxxxxx>
Subject: Re: SElinux
From: "A.J. Bonnema" <abonnema@xxxxxxxxx>
Date: Sun, 02 Apr 2006 08:10:11 +0200
In-reply-to: <1143947511.1432.105.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
References: <442F144D.1010601@xxxxxxxxx> <1143936629.1432.77.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <f84880b00604011748y7b392311q8a48976f84213c5a@xxxxxxxxxxxxxx> <1143947511.1432.105.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: For users of Fedora Core releases <fedora-list@xxxxxxxxxx>
User-agent: Thunderbird 1.5 (X11/20060313)

Craig White wrote:

SELinux stuff isn't hard. But it does take a few minutes of time and
attention to deal with the 'blocks' that arise - but it is these
'blocks' that confirm why it's installed in the first place.

Hi Craig,

I disagree. I appreciate the intentions of SELInux and I am focussed atunderstanding and learning SELinux. Possibly SELinux will become easierin time as it already has done in FC5. But it is not easy: for peoplelike me, it is hard and it is more than a few minutes to "get" SELinux.

Even though I have read the intro of Dan Walsh, his presentation (andgood word both are!), when I get to practise, I now know how to fix aproblem. But what I don't know, is whether I am introducing securityholes doing this.

I will give you two examples of why I think SELinux is tough.

Example1. Scanning my audit records I get avc-messages which I pipedinto audit2why in order to understand them:

type=AVC msg=audit(1143863788.355:233): avc: denied { write } forpid=5853 comm="squid" name="[35880]" dev=pipefs ino=35880scontext=user_u:system_r:squid_t:s0tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=fifo_file

   Was caused by:
       Missing or disabled TE allow rule.

Allow rules may exist but be disabled by boolean settings; checkboolean settings.You can see the necessary allow rules by running audit2allowwith this audit message as input.

type=AVC msg=audit(1143863788.355:233): avc: denied { write } forpid=5853 comm="squid" name="[35880]" dev=pipefs ino=35880scontext=user_u:system_r:squid_t:s0tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=fifo_file

   Was caused by:
       Missing or disabled TE allow rule.

Allow rules may exist but be disabled by boolean settings; checkboolean settings.You can see the necessary allow rules by running audit2allowwith this audit message as input.

type=AVC msg=audit(1143884764.330:326): avc: denied { write } forpid=18776 comm="squid" name="[79562]" dev=pipefs ino=79562scontext=user_u:system_r:squid_t:s0tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=fifo_file

   Was caused by:
       Missing or disabled TE allow rule.

Allow rules may exist but be disabled by boolean settings; checkboolean settings.You can see the necessary allow rules by running audit2allowwith this audit message as input.

type=AVC msg=audit(1143884764.330:326): avc: denied { write } forpid=18776 comm="squid" name="[79562]" dev=pipefs ino=79562scontext=user_u:system_r:squid_t:s0tcontext=user_u:system_r:unconfined_t:s0-s0:c0.c255 tclass=fifo_file

   Was caused by:
       Missing or disabled TE allow rule.

Allow rules may exist but be disabled by boolean settings; checkboolean settings.You can see the necessary allow rules by running audit2allowwith this audit message as input.

Now, it seems obvious to me, that I can get rid of this message byrunning audit2allow and adding that to the policy. But before I do that,I would like to make a well thought through decision as to whether thisposes a security risk if I fix it this way.


allow squid_t unconfined_t:fifo_file write;

Now: I have no idea, what the security implications of this is......

Example 2.

Apr 2 07:17:03 athene kernel: audit(1143955023.872:69): avc: denied {read write } for pid=13366 comm="squid" name="rpmpkgs" dev=dm-0ino=11207591 scontext=system_u:system_r:squid_t:s0tcontext=system_u:object_r:var_log_t:s0 tclass=file

   Was caused by:
       Missing or disabled TE allow rule.

Allow rules may exist but be disabled by boolean settings; checkboolean settings.You can see the necessary allow rules by running audit2allowwith this audit message as input.


Obviously, squid does something with rpmpkg..........?!

audit2allow says: allow squid_t var_log_t:file { read write };

But what am I doing here? I have really no idea. Is it doing somethingto /var/log files or is it doing something to the packages? I will haveto investigate more to understand this one.

So I don't know whether I should compile these allows into the policy(still have to check how to do that, but that's beside the point).I simply don't know what the implications are. I don't even know ifthese are real problems.

My point being: SELinux is certainly worth understanding and worth theeffort, but to some people (non-admins) it *is* tough.SELinux may not be hard for the well seasoned admin, but it is for me(and I am putting in the effort and I am not finished by a long shot).


Guus.

--
A.J. Bonnema, Leiden The Netherlands,
user #328198 (Linux Counter http://counter.li.org)

References:
- SElinux
  - From: Caser
- Re: SElinux
  - From: Craig White
- Re: SElinux
  - From: Kam Leo
- Re: SElinux
  - From: Craig White

Prev by Date: yum localinstall error
Next by Date: Re: SELinux blocking Gizmo on FC5
Previous by thread: Re: SElinux
Next by thread: Re: SElinux
Index(es):
- Date
- Thread

[Index of Archives] [Current Fedora Users] [Fedora Desktop] [Fedora SELinux] [Yosemite News] [Yosemite Photos] [KDE Users] [Fedora Tools] [Fedora Docs]

Powered by Linux