Re: SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 30 Aug 2010 21:10:12 +0900, Takehiko Abe wrote:

>> I've had exactly the opposite experience running SELinux, even with
>> hand- compiled applications from a variety of sources - including my
>> own.
> 
> You say "the opposite" but you seem to have a lot of problems and spent
> fair amount of time because of SELinux. And what you get in return?
> Nothing except for a vague notion of "security".

I have not spent a large amount of time. Songbird and Mono are the only 
two troublesome issues I've had since SELinux has been a part of Redhat/
Fedora.

I spent 1 hour (and one bug report) on Songbird. I abandoned it because 
it ran poorly and had multiple SELinux issues. I did spend a few days off 
and on with mod_mono and friends. I finally decided that even if I got 
mod_mono running cleanly, any C#.NET programming I needed to do (mostly 
Java / .NET integration via SOAP) would be better done on Windows.

The NVidia issue is well known, documented, and actually mostly taken 
care of in their install script.

Other minor issues, such as the cron file descriptor leak, are normal 
bugs and taken care of pretty rapidly by the maintainers of various 
packages.

As far as a vague notion of security, I have to confess I have not 
studied SELinux, so I don't know the material in detail. It's on my list 
of things to do, but right now I'm in the middle of working on portlets 
(JSR 286), and some Tomcat configurations which I hope to write up. There 
is just so much time in the day . . .

That being said, one of the particular things that SELinux does that I 
like is preventing privileged applications from writing where it is 
unexpected. For example, unless you specifically label a directory for 
httpd, you'll get an SELinux denial (or warning if you run in permissive 
mode) when httpd tries to read or write from directories not deemed safe. 
If you're developing PHP and using the ~username/public_html option to 
get around having to copy things over as root, this can be a bit of a 
pain until you label your file system correctly.

However, this is a really valuable warning / denial. Many PHP frameworks 
tend to write temporary files. It would be nice to have the system deny 
those files if they're not in the expected places. Attackers subvert PHP 
frameworks all the time. By preventing files getting written to 
unexpected places, this makes the attack more difficult and the system 
more secure.

I've not had my use of the system hampered or curtailed by SELinux. I'm a 
pretty aggressive user. Right now I have an IDE (NetBeans), an editor 
(emacs), firefox, thunderbird, gyachi, pan, a shell, streamtuner, and 
audacious 2 running as this user. Sometimes I'll also have OpenOffice or 
Pencil running. I have Apache and MySQL running in the background, and I 
will be starting Tomcat 6.0.18 and Derby for testing soon (my portal 
container has issues with Tomcat 6.0.29). I occasionally run IP aliases 
to simulate multiple machines. Sometimes I'll fire up Google Earth when 
events happen in another part of the world where friends of mine live.

While doing this, I have had absolutely no issue with SELinux. Any small 
warning (haven't seen one in over a week) I can usually handle by issuing 
the appropriate SELinux command. I always file a bug report so that 
people can fix their programs. It's not much that I give back to Fedora 
(I spend a lot more time on ASF software), but it's a start.

As another person has said, if a program gives multiple SELinux warnings 
and seems to defy any simple attempts at file labeling as a fix, then 
maybe it's a poorly written program. If the program maintainers are not 
responsive to SELinux problems, then maybe the programmers have too much 
on their plates to properly maintain their contributions. In any case, 
there are almost always other packages that perform the same tasks 
without the SELinux issues.

Of course, you always have the option of turning off SELinux. It's been 
my experience that turning off SELinux is not necessary. Personally, I 
like knowing when a potentially unsafe operation is happening on my 
system. I actually learn a bit about security. I then change my habits 
and become a more security-conscious user, programmer, architect, system 
administrator.

Learning new stuff is not a bad thing. In fact, it's pretty fun.

. . . just my two cents

/mde/

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux