SElinux
Craig White
craigwhite at azapple.com
Tue Apr 4 20:15:11 UTC 2006
On Tue, 2006-04-04 at 14:57 -0500, Robert Nichols wrote:
> Matthew Saltzman wrote:
> > On Tue, 4 Apr 2006, Robert Nichols wrote:
> >
> >> Changing file contexts is very simple. Knowing what to change a
> >> file context _to_ in order to fix any particular denial is not so
> >> simple. And fixing the root problem that is repeatedly causing
> >> similar denials requires quite a bit of knowledge and analysis.
> >
> >
> > I've seen references to audit2allow that make me think this tool should
> > help identify what needs to be changed to fix any particular denial.
> > Haven't investigated in detail yet.
>
> There is simply no way for audit2allow to know what is the
> appropriate change. Should executables with this type always be
> allowed this kind of access? Does the executable have the wrong
> type? Does the target file have the wrong context, and if so,
> how did it get that way and what needs to be done so that in the
> future similar files will get the correct context? The
> immediate problem can be circumvented by changing any of the
> three parameters, but knowing which change is "right" is a bit
> more complicated.
>
> And that's just for users. The application developer has a
> whole additional level of complexity to consider if his app.
> finds itself "targeted".
>
> To make SELinux work for the wide variety of things done on
> desktop machines it needs a staff of highly trained volunteers
> willing to donate their time to analyze each problem and make
> and maintain the appropriate changes to the standard policy on
> each system. And fix it RIGHT NOW, please, I need to finish
> building this ISO and mail out the CD-R before the Post Office
> closes today. OK, "setenforce 0" is the quickest fix. Pardon
> me if I somehow neglect to change that back any time soon.
----
I am quite certain that if you wanted specific help with this issue, the
fedora-selinux list would help you solve it.
If you want to deal with in a generic form of way as you are doing, this
list and the fedora-selinux list aren't likely to be able to provide
much guidance.
Craig
More information about the fedora-list
mailing list