My reading of your comments are that you have found the process of SELinux overly painful
to learn on a admin/developer level and more so than it needs to be. As a result, most
people disable this additional software protection in order to make their system continue
operations without excessive having to take the time to fully understand this facility.
Unfortunately, I am in a situation where it is necessary to make this functionality work
for a development project that I am involved with.
Having to become an expert in short order is looking to be a little challenge. I'm
up for it. Will definitely prove useful once I understand it.
What I am (and most other admins) looking for is people to ask questions as the various
documentation out there has some differences based on when it was written.
***** ***** *****
Michael D. Parker
General Atomics - EMS
Michael.d.parker(a)ga.com <<<<< NOTE: Remember to include my middle initial
>>>>>
+1 858 964 6675 / Office 86-1319
16969 Mesamint Street / San Diego / CA / 92127
************************************************************************
CONFIDENTIALITY NOTICE: This communication is intended to be confidential to the
person(s) to whom it is addressed. If you are not the intended recipient or the agent of
the
intended recipient or if you are unable to deliver this communication to the intended
recipient, you must not read, use or disseminate this information. If you have received
this communication in error,please advise the sender immediately by telephone and delete
this messageand any attachments without retaining a copy.
*************************************************************************
-----Original Message-----
From: Marko Rauhamaa [mailto:marko@pacujo.net]
Sent: Monday, August 01, 2016 3:58 PM
To: Parker, Michael D. <Michael.D.Parker(a)ga.com>
Cc: selinux(a)lists.fedoraproject.org
Subject: Re: --EXTERNAL--Welcome to the "selinux" mailing list
"Parker, Michael D." <Michael.D.Parker(a)ga.com>:
What are you all doing/have done to boot strap your knowledge about
SELinux?
It's been a painful process and disillusionment.
SELinux means two distinct things:
(1) A fundamental mechanism. Most introductory material explains this
part, and you think it must make sense.
(2) The specific application of SELinux by the Linux distros. This is a
vast collection of prebuilt policies and attributes.
The "SELinux" you need to deal with as an administrator or a software developer
is mostly (2). The SELinux Proper (1) is as far removed from
(2) as semiconductor chemistry is from Java programming. Unfortunately,
(2) is also so complicated you shouldn't even think of coming up with a policy on your
own. Rather, you should take the distro's policy collection as a given. The
distro's administration guide lists the available policies plus the handful of
configuration parameters (aka
"booleans") that give you limited degrees of freedom.
I don't think SELinux is badly designed or implemented. I think the core problem is
that the SELinux approach to Mandatory Access Control cannot work.
Say I want to install a piece of software that doesn't come with my distro. Take Guix,
for example. The prebuilt policies don't know anything about it. So, as an admin, what
am I to do? What directories and files does Guix need to touch? What kinds of
"transitions" do I need to allow? What kinds of labels do I need to introduce to
my system? What kinds of tools do I need to use to integrate a Guix policy to the prebuilt
policies?
The sad answer often offered to these questions is, don't. Simply monitor Guix running
and see the complaints in the system audit log files. Then use a special silencer tool to
make SELinux shut up about those observed complaints. After a while you hope you have
charted all of the liberties Guix needs to do its work and you make your ad-hoc
"policy" mandatory.
Marko