On Wed, 2007-08-29 at 17:09 +0100, Alan Cox wrote: > > Would any of you out there care to share with me any of your personal > > experiences with SELinux being useful to you (in any way whatsoever), on > > a single-user workstation? > > I leave it on and haven't had any problems with it for the past few > releases. It makes a large subset of potentially exploitable holes turn > into rather unexploitable ones and that to me is of value. > I leave it on. I am notified by setroubleshoot when it stops something. If I think all the errors reported by setroubleshoot are not errors, I run a script to permit those accesses. I got the list of commands for the script from a previous thread: #!/bin/bash mkdir -p /root/selinux pushd /root/selinux declare name="${1:-local}" declare rebuild="${2}" if [ -z "${rebuild}" ] then declare origname="${name}" declare -i index=1 while [ -e "${name}.te" ] do name="${origname}${index}" let index++ done audit2allow -m ${name} -l -i /var/log/audit/audit.log > ${name}.te checkmodule -M -m -o ${name}.mod ${name}.te semodule_package -o ${name}.pp -m ${name}.mod semodule -i ${name}.pp else declare -i index=1 for i in ${name}*.te do checkmodule -M -m -o ${i}.mod ${i}.te semodule_package -o ${i}.pp -m ${i}.mod semodule -i ${i}.pp done fi popd My list of exceptions is kept in the directory /root/selinux. Each time selinux or the target policy for selinux gets updated I remove the /root/selinux directory and create a new list of exceptions when setroubleshoot notifies me. What I am doing requires I look at each notification message and decide if the message really is bogus. If I guess wrong, I will be creating a security hole. My hope is the list of notifications remain minimal. At this moment, I have one file, generated by the script, /root/selinux/local.te, which contains: module local 1.0; require { type var_lib_nfs_t; type httpd_t; type system_dbusd_t; class dbus send_msg; class dir search; } #============= httpd_t ============== allow httpd_t system_dbusd_t:dbus send_msg; allow httpd_t var_lib_nfs_t:dir search; I do not claim to know what these exception actually do. I feel comfortable with these exception because I use iptables to white list IP addresses that may access my computer. If your IP address is not on my list, for the service I want you to access, iptables is set to drop the incoming packet from you. Disclaimer: I want to leave selinux on. I do not pretend to understand how to properly control/configure selinux. I created the script by reading threads on this mailing list. If the script does not work or does something bad, please communicate problems to the mailing list. This mailing list, or other mailing lists, will be able to give help with selinux. Any help from me will be the blind leading the blind. I would appreciate comments from people who do understand selinux on what I have done.
Attachment:
signature.asc
Description: This is a digitally signed message part