Re: SElinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2006-04-04 at 14:57 -0500, Robert Nichols wrote:
> Matthew Saltzman wrote:
> > On Tue, 4 Apr 2006, Robert Nichols wrote:
> > 
> >> Changing file contexts is very simple.  Knowing what to change a
> >> file context _to_ in order to fix any particular denial is not so
> >> simple.  And fixing the root problem that is repeatedly causing
> >> similar denials requires quite a bit of knowledge and analysis.
> > 
> > 
> > I've seen references to audit2allow that make me think this tool should 
> > help identify what needs to be changed to fix any particular denial. 
> > Haven't investigated in detail yet.
> 
> There is simply no way for audit2allow to know what is the
> appropriate change.  Should executables with this type always be
> allowed this kind of access?  Does the executable have the wrong
> type?  Does the target file have the wrong context, and if so,
> how did it get that way and what needs to be done so that in the
> future similar files will get the correct context?  The
> immediate problem can be circumvented by changing any of the
> three parameters, but knowing which change is "right" is a bit
> more complicated.
> 
> And that's just for users.  The application developer has a
> whole additional level of complexity to consider if his app.
> finds itself "targeted".
> 
> To make SELinux work for the wide variety of things done on
> desktop machines it needs a staff of highly trained volunteers
> willing to donate their time to analyze each problem and make
> and maintain the appropriate changes to the standard policy on
> each system.  And fix it RIGHT NOW, please, I need to finish
> building this ISO and mail out the CD-R before the Post Office
> closes today.  OK, "setenforce 0" is the quickest fix.  Pardon
> me if I somehow neglect to change that back any time soon.
----
I am quite certain that if you wanted specific help with this issue, the
fedora-selinux list would help you solve it.

If you want to deal with in a generic form of way as you are doing, this
list and the fedora-selinux list aren't likely to be able to provide
much guidance.

Craig


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux