Re: SELinux on Fedora 17 - troubles, troubles, troubles, ...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/20/2012 03:19 AM, Mateusz Marzantowicz wrote:
> On 19.07.2012 15:41, Daniel J Walsh wrote:
>> On 07/19/2012 05:24 AM, Mateusz Marzantowicz wrote:
>>> Why is using of SELinux on Fedora (I don't have experience with other 
>>> distros) so painful from a regular user perspective?
>> 
>>> I'm talking about situation in which after installing stock packages
>> and
>>> "just running" applications I'm spending more time with SELInux Alert 
>>> Browser than any other system management utility.
>> 
>>> You'd probably say that it's my fault, that I messed up with selinux 
>>> settings (yes, I confess, I've enabled samba sharing on some of my 
>>> directories under home but I've done this based on official Wiki) but 
>>> actually I only followed instructions from alert browser. I've applied 
>>> custom policies for one or two files that I then removed after one
>> or two
>>> hours.
>> 
>>> I think that right now my system is as secure as with selinux disabled 
>>> because of all that modification that I've made. I'm not an idiot but
>>> I really can't track all security policies that are active in my
>>> desktop system used for daily work.
>> 
>>> Do I really need to became security expert specialized in SELInux to
>> use my
>>> system? I started reading about selinux design and configuration but I 
>>> think it's a waste of time. My current selinux problem is caused by 
>>> systemd-tmpfiles trying to cleanup my /tmp dir where I copied some
>> files
>>> from home directory to play with and ... left them for automatic
>> cleanup.
>>> Solution is obvious - remove files form /tmp manually but then
>> autoremover
>>> mechanism provided by Fedora is redundant.
>> 
>>> Is there a chance that someday users will use selinux without even
>> noticing
>>> it's installed?
>> 
>> 
>>> Mateusz Marzantowicz
>> 
>> 
>> 
>> Well you are complaining about two different problems, lets address them 
>> separately.  Setting up samba with SELinux can be daunting, since SELinux
>> does not just allow samba servers to share all content on the system out
>> of the box.  You have to tell SELinux what you want to change.
>> 
>> Did you look at the man samba_selinux?  We now have over 400 man pages
>> to explain how SELinux interacts with different applications on a RHEL
>> box.
>> 
>> You also might want to read
>> 
>> http://danwalsh.livejournal.com/30837.html
>> 
>> which might help you understand SELinux a little better.
>> 
>> As far as the /tmp problem with systemd-tmpfiles, this is a bug in the 
>> policy that we are investigating.  Basically what is happening is we
>> removed something that caused a random leftover content in /tmp to
>> become invalid and the systemd-tmpfiles is not allowed to look at the
>> content or delete it.  It is probably just best if you delete the content
>> and then SELinux will stop complaining about it.
>> 
>> ls -lZ /tmp/pulse-* -d drwx------. gdm    gdm
>> system_u:object_r:xdm_tmp_t:s0 /tmp/pulse-51xb22O5vXMk drwx------. dwalsh
>> dwalsh staff_u:object_r:user_tmp_t:s0 /tmp/pulse-cvPtFlQSQRNj
>> 
>> 
>> If one is unlabeled_t, then delete it.
>> 
>> If you have any problems with SELinux please open a bugzilla or come to 
>> #selinux on freenode, there are people there to help you.
>> 
>> 
>> 
>> 
> 
> Thank you all for your answers and provided help on this subject.
> 
> I was able to successfully setup samba sharing using information from 
> Fedora Wiki, all is very clear and accurate there (at last for my case). 
> Sadly after some time I've been informed that some other policy problems 
> existed related to my setup but I resolved them quickly with alert browser.
> Thanks anyway for more hints.
> 
> I have one more question: is there a method to reset selinux attributes on
> file system objects to factory defaults, meaning the state after fresh
> installation?
> 
> 
> Mateusz Marzantowicz
> 
If you just used chcon, the restorecon will set them back to the defaults.  If
you used semanage to change the labels in the labeling database, you would
have to remove the records.

semanage fcontext -l -C

Would list any file context label changes.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAJvocACgkQrlYvE4MpobPJQQCglUhNKwQ0ckYOfHt9Ggp2qoyi
P9kAn3XCUBYffBstGnFT4+0tAaw2YT/A
=R1VC
-----END PGP SIGNATURE-----
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux