Re: SELinux -- another view ?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



:-)

On Thursday 18 October 2007 18:58, William Case wrote:
> I believe the problems is in RTFM.  There is no FM manual to read.

I started with man selinux, and read on what was suggested in the "see also" 
section from there, focusing on what seemed most interesting. Given the 
particular problem I had, I found out that the answer Dan Walsh kindly 
provided for me here on the list was precisely in the "examples" section of 
one of the man pages.

> Since SELinux is a major alteration to the kernel, there should be
> equally as extensive and informative documentation and explanations -
> starting with the simplistic up to the detailed.  Appropriate assistive
> guis would be welcome.

Think of it as an extension to the concept of permissions. That's as simple as 
one can get (actually, SELinux is probably much more complicated, but from a 
naive user's perspective it looks pretty much the same).

When something does not work, look at /var/log/messages, and find out that 
your program has some_label_t while the object it tries to access has 
some_different_label_t. The nontrivial part is to understand that two labels 
are "incompatible", why is that so, and what is the proper solution.

The learning curve may seem steep, but this was also the case when one is not 
familiar with usual unix permissions system. However, I don't see any people 
whining that permissions are "too technical", or "not useful for ordinary 
user" or "too buggy and introduce vulnerabilities" or "there should be a way 
to uninstall them". Just like permissions, SELinux is not a package, it is a 
Way Of Things, a paradigm that is useful and brings more control to the user.

Furthermore, I have been a Win* convert for several years now, and have not so 
far RTFM on unix perms, ever (other than man pages for chmod, chown and 
chgrp). Yet still, I learned to use them and resolve any issues that might 
appear. I am not even sure that there is a FM for that at all... ;-)

> Meanwhile, until the day comes that I have the time for intensive study,
> I will leave SELinux in permissive mode.

That would be analogous to using the root account for regular work, just to 
avoid problems when "permissions denied" message appears to an ordinary user 
account. And we all know that is a Bad Idea.

Best, :-)
Marko

Marko Vojinovic
Institute of Physics
University of Belgrade
======================
e-mail: vmarko@xxxxxxxxxxxx




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux