-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/20/2012 03:19 AM, Mateusz Marzantowicz wrote: > On 19.07.2012 15:41, Daniel J Walsh wrote: >> On 07/19/2012 05:24 AM, Mateusz Marzantowicz wrote: >>> Why is using of SELinux on Fedora (I don't have experience with other >>> distros) so painful from a regular user perspective? >> >>> I'm talking about situation in which after installing stock packages >> and >>> "just running" applications I'm spending more time with SELInux Alert >>> Browser than any other system management utility. >> >>> You'd probably say that it's my fault, that I messed up with selinux >>> settings (yes, I confess, I've enabled samba sharing on some of my >>> directories under home but I've done this based on official Wiki) but >>> actually I only followed instructions from alert browser. I've applied >>> custom policies for one or two files that I then removed after one >> or two >>> hours. >> >>> I think that right now my system is as secure as with selinux disabled >>> because of all that modification that I've made. I'm not an idiot but >>> I really can't track all security policies that are active in my >>> desktop system used for daily work. >> >>> Do I really need to became security expert specialized in SELInux to >> use my >>> system? I started reading about selinux design and configuration but I >>> think it's a waste of time. My current selinux problem is caused by >>> systemd-tmpfiles trying to cleanup my /tmp dir where I copied some >> files >>> from home directory to play with and ... left them for automatic >> cleanup. >>> Solution is obvious - remove files form /tmp manually but then >> autoremover >>> mechanism provided by Fedora is redundant. >> >>> Is there a chance that someday users will use selinux without even >> noticing >>> it's installed? >> >> >>> Mateusz Marzantowicz >> >> >> >> Well you are complaining about two different problems, lets address them >> separately. Setting up samba with SELinux can be daunting, since SELinux >> does not just allow samba servers to share all content on the system out >> of the box. You have to tell SELinux what you want to change. >> >> Did you look at the man samba_selinux? We now have over 400 man pages >> to explain how SELinux interacts with different applications on a RHEL >> box. >> >> You also might want to read >> >> http://danwalsh.livejournal.com/30837.html >> >> which might help you understand SELinux a little better. >> >> As far as the /tmp problem with systemd-tmpfiles, this is a bug in the >> policy that we are investigating. Basically what is happening is we >> removed something that caused a random leftover content in /tmp to >> become invalid and the systemd-tmpfiles is not allowed to look at the >> content or delete it. It is probably just best if you delete the content >> and then SELinux will stop complaining about it. >> >> ls -lZ /tmp/pulse-* -d drwx------. gdm gdm >> system_u:object_r:xdm_tmp_t:s0 /tmp/pulse-51xb22O5vXMk drwx------. dwalsh >> dwalsh staff_u:object_r:user_tmp_t:s0 /tmp/pulse-cvPtFlQSQRNj >> >> >> If one is unlabeled_t, then delete it. >> >> If you have any problems with SELinux please open a bugzilla or come to >> #selinux on freenode, there are people there to help you. >> >> >> >> > > Thank you all for your answers and provided help on this subject. > > I was able to successfully setup samba sharing using information from > Fedora Wiki, all is very clear and accurate there (at last for my case). > Sadly after some time I've been informed that some other policy problems > existed related to my setup but I resolved them quickly with alert browser. > Thanks anyway for more hints. > > I have one more question: is there a method to reset selinux attributes on > file system objects to factory defaults, meaning the state after fresh > installation? > > > Mateusz Marzantowicz > If you just used chcon, the restorecon will set them back to the defaults. If you used semanage to change the labels in the labeling database, you would have to remove the records. semanage fcontext -l -C Would list any file context label changes. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAJvocACgkQrlYvE4MpobPJQQCglUhNKwQ0ckYOfHt9Ggp2qoyi P9kAn3XCUBYffBstGnFT4+0tAaw2YT/A =R1VC -----END PGP SIGNATURE----- -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org