Re: SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jorge FÃbregas <jorge.fabregas@xxxxxxxxx> wrote:

 > Ok, there has been a lot of these lately (execstack).  I had those with
 > AviDemux and solved it by removing execstack from the particular library
 > causing it.
 
I had "execstack" messages with a self-compiled Exim and OpenSSH.
Couldn't find any libraries with the execstack flag set (it's been
years ago that I had to set execstack... on MPlayer if I remember
correctly). Since I couldn't easily find out what's causing this
SELinux error (which includes launching setroubleshootd and eating
a significant amount of system resources) I helped myself with some
googled calls to "chcon" on the binares. Creating a custom policy helped
as well (as suggested by sealert), but installing a custom policy with
"semodule -i" takes a lot of time, and to be honest, I don't fully
understand every policy generated by "audit2allow" (some are small
and easy to understand but some could get quite large). I don't like
to trust security that I don't understand.

Although I wouldn't say that the number of SELinux errors is high,
I still found myself running my systems in "permissive mode" most
of the time.

Because SELinux in permissive mode gives no security, I finally
disabled it completely. Some applications are a lot faster now,
for example SSH which no longer has to check/switch SELinux context.

SELinux gives extremly fine-grained control. Nice thing if there's
somebody who keeps the SELinux policies up to date for you like the
Fedora team does for their repositories. There's an update every
couple of days so they obviously put a lot of work into it.

But SELinux is like hell on earth if you install something that
is not covered by the standard policy. If you're not an SELinux
expert yourself and don't want to spend most of your time searching
the web to fix SELinux issues, you may end up defining aliases for
"setenforce 0" and "setenforce 1" because you need it so often.
That's not good. ;-)

I always try to make my systems secure in the first place
(as if there was no SELinux at all). Hopefully, people don't
get too used to SELinux and design their software without
security in mind because they fully rely on SELinux to keep
bad things from happening.

This is not a rant against SELinux. I'm sure it's very cool if you
really understand how everything works and if you can write your
own policies without the help of Google. I tried - but failed.

Maybe it's helps to make SELinux more manageable for non-experts. 
setroubleshootd/sealert is so slow, it's not very useful. Some of
its messages are good to understand but most are not (basically
just saying you have to run audit2allow/semodule and install
exceptions for everything).

I wish I was better in managing SELinux. Well, maybe one day ...

	Greetings, Andreas
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux