Re: allow guest_u to access screen

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2013-04-16 at 13:17 +0530, Lakshmipathi.G wrote:
> Thanks Dominikc for more detailed info.
> Okay,will log the silent denials via semodule -DB option.
> 
> 
> >not signal a bug and auditd (with the appropriate rules) can be used
> to
> >log any specific syscalls.
> 
> 
> How to do this? Logging specific syscall? Do we have another addition 
> feature like logging specific path (say /etc/passwd) ? 
> 

Yes. Best to read up on linux-audit.

> 
> 
> 
> >many people see the policy as something that is fixed.
> >If they have to write policy they argue that it is broken. 
> 
> 
> I understand the point, but the problem is at-least for users 
> like me, we are not really sure whether adding a new policy 
> may comprise on existing setup. 

Yes i understand. To really understand all the issues one needs to be
familiar with gnu/linux programming in my view. I am not in that league
either. That does not mean we are totally useless though. Some things
are self explanatory and in other cases one should always keep in mind
to use "least privilege" required. Also, many of the elements of a AVC
denial are documented such as the security classes and their av
permissions one can reference them and then use that info to investigate
whether some event makes sense or if it is maybe a bug or intrusion 

> >But that requires that one learns to speak and write SELinuxs'
> language,
> >and that might be an intimidating prospect to some. Not to mention
> the
> >ability to design a policy that meets ones requirements and to
> maintain
> >that.
> 
> 
> Yes,that's the main thing , to make SELinux customize to their
> requirement,
> you need to a well experienced user,average users (like me) will rely
> on tools like 
> audit2allow or audit2why etc,because these tools help him write a
> policy without 
> really getting deep into the issue :D !  
> 

But that defeats the purpose of SELinux. Better to invest some time into
discovering the inner workings a bit first. I am not saying that you
need to be an expert ( i am no expert either ) but it is better that one
knows at least a bit about the basics.

It takes a bit of effort but in my view it will eventually pay off. Once
you get a bit familiar with SELinux then it is no longer as intimidating
(although its power and flexibility will always be at least a bit
intimidating in my experience). Nonetheless SELinux has become pretty
mainstream and so the experience will come in handy in many cases. 
> 


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux