Re: SElinux concern

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Tim:
>> Did you follow the above?    [about SELinux context relabelling]

Michael Klinosky:
> No. I have no clue what any of this means. Should I have to do this 
> every time I install a distro? Why have I not read anything about it (on 
> linux maillists or help websites)?
> 
> What is this label concept, and why would I need to relabel any files?

It's SELinux you want to read up on.  The premise behind it is to add
restrictions on top of the Unix permissions.  So that some things cannot
read or write the files.  e.g. password files being unable to be
webserved out, even if someone's dumb enough to make them
world-readable.  The SELinux contexts outline what the files are for
(personal files, system files, webservable files, etc.), and that
determines what you can do with them.

Generally things work fine, but if there's a mixup, you might have to
relabel the files.  There's a master set of rules which says what
contexts should be applied to files where, the auto-relabel restores
that.

It's just luck of the draw that you've not seen anything about it.
Little mailing list wars do pop up, from time to time, about how it got
in the way of something, that you should fix things rather than just
disable it as gets commonly advised (my handbrake doesn't work properly,
well just get rid of it...), that it (allegedly) can't really do what it
claims, and other conspiracy theories...

>> So, if the problem is that some files are mislabeled, it'll be
>> corrected.

> How would they have gotten mislabeled?

By running software that creates files, and that software not being
aware of SELinux.

By not directly creating files.  e.g. You rename a file to replace a
file - the old file still has its proper SELinux contexts, but the one
you put in its place (by renaming things), doesn't.  Or, you create a
new file in, say, your home space, then copy it over to where it's
supposed to be.  It has your homespace contexts, instead of the proper
contexts for what it is.

It adds a new layer of complexity to things, but the silver lining to
that cloud is some beefing up of security.  e.g. Your computer is less
likely to get exploited thanks to a bug with your web browser or web
server (it helps protect clients and servers).

I would have directed you to a document about SELinux that I found to be
fairly comprehensive, but the turning of the Fedora website into a wiki
has made it damn near impossible for me to find anything.  This is the
best that I could quickly find, and just looking at it presented a
labyrinth of things to go through:

  <http://fedoraproject.org/wiki/SELinux>

I find wikis not too bad, generally, when each page is coherent in
themselves.  But when you need to read a pile of disparate pages to
comprehend a subject, they just plain suck.  There's, often, if not
usually, no linear order to follow, and you go around in circles, often
bypassing something important.

-- 
(This box runs FC5, my others run FC4 & FC6, in case that's
 important to the thread.)

Don't send private replies to my address, the mailbox is ignored.
I read messages from the public lists.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux