first encounters with SELINUX, with some suggestions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I upgraded to FC3 this weekend.  I always try and go with the defaults
on a new install, because when fielding bug reports for my various
projects I prefer to make the defaults work first so bug reporters and I
have a common ground to work with.

Since the default SELINUX policy is "targeted" I chose this, bracing
myself :)

My first task was getting all my locally hosted websites to run.

I have a few virtualhosts in my /home/thomas/www directory.  When
starting apache, the service script complains about these directories
missing.

Please note that I have a separate /home partition on hda6; I don't know
if this affects any policy (yet).

The system log file shows things like:
audit(1100000312.370:0): avc:  denied  { search } for  pid=12350
exe=/usr/sbin/httpd name=thomas dev=hda6 ino=557094
scontext=root:system_r:httpd_t tcontext=system_u:object_r:default_t
tclass=dir

I read through a few howto's, including
http://fedora.redhat.com/docs/selinux-faq-fc3/index.html
(which has all of its internal links broken, can somebody please fix
this, it's quite annoying !) and the writing policy howto mentioned
herein: https://sourceforge.net/docman/display_doc.php?
docid=21959&group_id=21266

The latter has a paragraph about where policy is stored, and mentions
Makefiles and other stuff in /etc/selinux.  None of this is present on
my FC3 system, so I'm assuming here that Red Hat has changed some things
from the default SELinux which obliviate this step, but I have way of
finding out how.  Am I missing something ? Maybe there's a package I
need to install ?

I decided to learn about SELinux through the equivalent of poking at it
with a large stick.
I started adding some policy
to /etc/selinux/targeted/contexts/files/file_contexts, adding a line
reading:

/home/thomas/www
system_u:object_r:httpd_sys_content_t

The former howto tells me I can run
/sbin/fixfiles relabel /home/thomas/www

but that command just gives me this:
Usage: /sbin/fixfiles {-R rpmpackage[,rpmpackage...] [-l logfile ] [-o
outputfile ] |check|restore|[-F] relabel}

It would seem to me that what I issued was correct, both from the howto
as well as the usage output.  Clearly I'm missing something else here.

So I tried this:
restorecon -v -R /home/thomas/www

and that did something.  How do these two tools differ ? Why does the
first not work as advertised.

Using ls -alz /home/thomas I seem to get the impression this security
context has been adopted.  Still, apache refuses to see the directory.

So I read some more of the howto.  There's a binary called audit2allow
that could help me generate rules.  So I run it, restart apache a few
times, but the binary doesn't print anything, not even with -v.  Maybe
I'm using it wrong, but there's no way of finding out if I am.


At this point, I'm pretty much stuck.  So if any kind soul wants to
throw me a bone, please do.

There are some things I find troubling and would want to offer
suggestions for.

- I am a fairly typical developer.  I'd like to understand my system and
to do so I read documentation, look at examples and try it out.  Yet the
barrier to entry to selinux is pretty high, which seems bad for
something Red Hat wants to be finely integrated into the distribution.

Maybe it would be a good idea to write a simple "getting started" guide
explaining how to do two or three common tasks (I'd say "serving web
pages from a nonstandard directory" would be one of them), making sure
that EVERY STEP works.  Right now the howto contains things that do not
work as advertised, and links to docs that reference stuff that is not
present, without a mention close by where to get it.

- A lot of developers I know, including a bunch at Red Hat, *turn off
SELINUX entirely*.  IMO, something that gets pushed at heavily as this
should be dogfooded by the development team at Red Hat completely, so
they encounter firsthand what it means and how to fix basic issues.
Knowledge spreads through increasingly growing circles starting from the
center.  If all RH developers, who have "easy" access to the SELINUX
people at Red Hat, were to use it, they'd have basic knowledge about it.
When the next circle of developers - outside of redhat, but having links
to inside - gets hit, they do the same.  And so on.

It looks to me like the first circle is already completely broken, hence
halting the dissemination of information and increasing the annoyance
level outside of Red Hat.  It won't be long before sysadmins and users
ignore the default and turn it off entirely.

- The documentation is not easy to find, out of date, and doesn't match
the system.  IMO, if FC3 gets released, the howto for something as basic
as SELINUX should be uptodate and easy to find.

As it is today:
- http://fedora.redhat.com has one link to SELinux, which links to a
project page that seems to be from before FC2 (!) and has no mention of
documentation
- The "docs" link below that links to the docs as a project, not to
docs.  Maybe not that bad, but confusing.
- The docs link on the left links to docs, where SELINUX is listed, and
the link mentions that it is for FC3 test 2
- When you click it, the docs say it is for test *3*
- all internal links in that doc are broken
- some commands in that doc do not work: fixfiles, audit2allow
- the document is more of a FAQ than a Howto, a simple "getting started"
would help a lot.

I understand that FC3 is relatively fresh and that not everything can be
in place from the start.
I just want to get a good picture of where SELINUX is at and how to
solve issues, so that I can try to fix stuff myself, and explain to
other people.  Otherwise I'll just have to turn off SELINUX myself, and
recommend the same to others when questions are asked about it.

Feel free to comment, both on the particular issue at hand as well as
the general issue of entry barriers to selinux.

Thomas

Dave/Dina : future TV today ! - http://www.davedina.org/
<-*- thomas (dot) apestaart (dot) org -*->
I will play you like a shark
And I'll clutch at your heart
I'll come flying like a spark
To enflame you
<-*- thomas (at) apestaart (dot) org -*->
URGent, best radio on the net - 24/7 ! - http://urgent.fm/




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux