Re: SELinux and access across 'similar types'

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, Jan 11, 2012 at 1:23 PM, Lamar Owen <lowen@xxxxxxxx> wrote:
> On Wednesday, January 11, 2012 01:22:05 PM Les Mikesell wrote:
>> I don't think of myself as a 'normal user', but I still don't
>> appreciate it when a distribution goes out of its way to arbitrarily
>> modify and break what application developers spent years designing and
>> writing.
>
> SELinux does not 'go out of its way' to 'break' anything; rather, SELinux enforces a deny by default 'need to access' policy.

Yes, the breakage came from having someone who didn't understand the
needs define that policy.

> If you need to special-case stuff, then you need to do an analysis of the special cases you need to create; this is what a testing server running SELinux in permissive mode is for, as there is no better analysis of what SELinux needs than SELinux in permissive mode loggin what your application is using.  Get the logs and run audit2allow and package that as a piece of your applications' SELinux policies.

So if an application only needs to do something once at some future
time, what happens?  If you write an application that will need to do
something at some rare future time, what is the standard way to tell
distribution packaging systems and system administrators to permit it?

> That is new, but it isn't very hard.

Doesn't that really depend on what the application needs to do?

-- 
   Les Mikesell
     lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux