-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello all! Yesterday I ran into a very odd problem which I think highlights a serious weakness in the current selinux implementation. A newbie linux/web developer was testing a perl based cgi on his fedora box. If he put the cgi progran in /var/www/cgi-bin it would not produce any output nor error messages. It just seemed to exit. If he ran it from his ~/ it produced the expected output. It took me a good 15 min of scratching my head over this before I realized this must be an selinux thing due to the context of the cgi-bin dir and of course I was right. This highlights a serious concern of mine: Lots of time is being wasted tracking down strange problems because the only place SE Linux has to report security errors is in dmesg and the system log. When the cgi program would not produce any output at all it was not even obvious that it was a security problem. This is not acceptable for general use. My users won't think to check the system log for possible security policy violations relating to their activities and even I often forget to do it because security policy violation is often not the first thing that comes to my mind when something like this happens. And even if we do think of it, we should not have to go check the logs every time something odd happens suspecting SE Linux. It should be immediately obvious. Traditionally when there is a security policy violation you get a "permission denied" on the tty. We have got to find a way to make an error appear on the tty associated with the process that caused the violation. I think I am going to look into setting up syslog to log all such security messages to all tty's until I can find a better solution. But what is the better solution? I suspect that now that we have a very granular way of specifying security policy we will need a more granular way to report errors back to the user. I am having a rather difficult time selling SE Linux in my business due to issues like this. People really hate it when this cool new security feature causes things to fail in dark and mysterious ways. I have been forced to disable it on all of our machines lest we have a developer uprising. - -- Tracy R Reed http://ultraviolet.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCvRRn9PIYKZYVAq0RAvsvAJ4xRlOfEIcgYPPoVwEKOuRqOr6z7QCfQvcm XVkZUwoM8+2ot0Neg15RkYA= =W6Qq -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-selinux-list
