SELinux -- another view ?
Marko Vojinovic
vvmarko at panet.co.yu
Fri Oct 19 08:11:17 UTC 2007
:-)
On Thursday 18 October 2007 18:58, William Case wrote:
> I believe the problems is in RTFM. There is no FM manual to read.
I started with man selinux, and read on what was suggested in the "see also"
section from there, focusing on what seemed most interesting. Given the
particular problem I had, I found out that the answer Dan Walsh kindly
provided for me here on the list was precisely in the "examples" section of
one of the man pages.
> Since SELinux is a major alteration to the kernel, there should be
> equally as extensive and informative documentation and explanations -
> starting with the simplistic up to the detailed. Appropriate assistive
> guis would be welcome.
Think of it as an extension to the concept of permissions. That's as simple as
one can get (actually, SELinux is probably much more complicated, but from a
naive user's perspective it looks pretty much the same).
When something does not work, look at /var/log/messages, and find out that
your program has some_label_t while the object it tries to access has
some_different_label_t. The nontrivial part is to understand that two labels
are "incompatible", why is that so, and what is the proper solution.
The learning curve may seem steep, but this was also the case when one is not
familiar with usual unix permissions system. However, I don't see any people
whining that permissions are "too technical", or "not useful for ordinary
user" or "too buggy and introduce vulnerabilities" or "there should be a way
to uninstall them". Just like permissions, SELinux is not a package, it is a
Way Of Things, a paradigm that is useful and brings more control to the user.
Furthermore, I have been a Win* convert for several years now, and have not so
far RTFM on unix perms, ever (other than man pages for chmod, chown and
chgrp). Yet still, I learned to use them and resolve any issues that might
appear. I am not even sure that there is a FM for that at all... ;-)
> Meanwhile, until the day comes that I have the time for intensive study,
> I will leave SELinux in permissive mode.
That would be analogous to using the root account for regular work, just to
avoid problems when "permissions denied" message appears to an ordinary user
account. And we all know that is a Bad Idea.
Best, :-)
Marko
Marko Vojinovic
Institute of Physics
University of Belgrade
======================
e-mail: vmarko at phy.bg.ac.yu
More information about the fedora-list
mailing list