[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Selinux



Wolfgang S. Rupprecht wrote:
Bill Davidsen <davidsen tmr com> writes:
That's a bit like asking how to turn off the burglar alarm so
break-ins won't be so noisy. The correct question is how to set
attributes correctly so google earth will run, and the answer may be
in the SElinux report, as it often is. Real the report and see if it
gives you a command to run which solves the problem.

;-)

Good analogy, extra style points for making one feel guilty for
turning off something that sounds like it should be a good thing to
have on in general.

Much easier to have on in distribution configuration on servers, not doing bizarre stuff. My mail, dns, dhcp servers run fine that way. Clients doing unusual stuff, not so much.

Each distribution, since I think FC4, I've tried to run selinux and
after a short time decided it simply wasn't worth the trouble.  On
anything more complicated than a client-only, stand-alone system, I'd
get low-probability failures creeping out of the woodwork forever.
Selinux as currently delivered is a better DOS than any outside
attacker has ever inflicted on WSRCC in the one and a half dozen years
it has been on the net.  (Now, I obviously still believe in chrooted,
internet-faceing programs run as powerless per-daemon users, and I'm a
firm stickler in no non-RSA/DSA remote logins.  I just don't like my
own system DOS-ing me randomly.)

This time on F10 selinux lasted exactly 15 minutes.  The first time I
tried to log in as an NFS automounted user, I realized that things
have gotten worse in terms of working for me out of the box.  Sure I
could fight the issue and use the selinux tools to adjust the
permissions, but why bother, it is clear this hasn't been well tested
and using selinux will be an uphill battle with a pre-alpha quality
permissions database that I'll essentially be maintaining on my own.

Haven't done amd home directories since SonOS (yes, the old 68030 based SunOS based on BSD), so I can't say, but having had similar issues bind mounting a home directory I know what you mean, the stock selinux doesn't like that.

I strongly suspect that Red Hat doesn't run with selinux enabled on
their corporate machines.  From how rickety everything still is, it
just doesn't feel like they eat their own dog-food.  How can NFS-ed
home directories possibly not work if they did?  Folks from RH are of
course encouraged to tell me how wrong I am.

I haven't had any problems with system which permanently mount filesystem on local disk. That's a good bit of my usage, and all my server usage, the only thing worse than single points of failure is multiple single points of failure, and proper redundancy is expensive.

I don't have an answer for your automount issue, my bind mount (in rc.local) is followed by some selinux blessing, which I took directly from the warning in active but not enforcing mode. After I sprinkle the mount with holy water it works.

--
Bill Davidsen <davidsen tmr com>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]