Re: --EXTERNAL--Welcome to the "selinux" mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

"Parker, Michael D." <Michael.D.Parker@xxxxxx>:

> What are you all doing/have done to boot strap your knowledge about
> SELinux?

It's been a painful process and disillusionment.

SELinux means two distinct things:

(1) A fundamental mechanism. Most introductory material explains this
    part, and you think it must make sense.

(2) The specific application of SELinux by the Linux distros. This is a
    vast collection of prebuilt policies and attributes.


The "SELinux" you need to deal with as an administrator or a software
developer is mostly (2). The SELinux Proper (1) is as far removed from
(2) as semiconductor chemistry is from Java programming. Unfortunately,
(2) is also so complicated you shouldn't even think of coming up with a
policy on your own. Rather, you should take the distro's policy
collection as a given. The distro's administration guide lists the
available policies plus the handful of configuration parameters (aka
"booleans") that give you limited degrees of freedom.


I don't think SELinux is badly designed or implemented. I think the core
problem is that the SELinux approach to Mandatory Access Control cannot
work.

Say I want to install a piece of software that doesn't come with my
distro. Take Guix, for example. The prebuilt policies don't know
anything about it. So, as an admin, what am I to do? What directories
and files does Guix need to touch? What kinds of "transitions" do I need
to allow? What kinds of labels do I need to introduce to my system? What
kinds of tools do I need to use to integrate a Guix policy to the
prebuilt policies?

The sad answer often offered to these questions is, don't. Simply
monitor Guix running and see the complaints in the system audit log
files. Then use a special silencer tool to make SELinux shut up about
those observed complaints. After a while you hope you have charted all
of the liberties Guix needs to do its work and you make your ad-hoc
"policy" mandatory.


Marko
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://lists.fedoraproject.org/admin/lists/selinux@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux