paul at city-fan.org
Sat Apr 8 17:23:57 UTC 2006
On Sat, 2006-04-08 at 12:18 -0500, Bruno Wolff III wrote:
> On Sat, Apr 08, 2006 at 10:55:37 -0500,
> Robert Nichols <rnicholsNOSPAM at comcast.net> wrote:
> > Actually, I agree with you completely. I've just found SELinux too
> > painful to use. I fought with it a long time in FC-3, almost had it
> > working, but never managed to get permissive mode to stay quiet long
> > enough to let me go to enforcing mode. I looked at SELinux in FC-4
> > to see what might have changed, but I never really did much with FC-4.
> > Now I see that in FC-5 so much has changed that absolutely nothing
> > that I learned how to do in FC-3 applies any more. I'd be starting
> > from scratch again. Sorry, BTDT. Sure, there are programs I'd like
> > to confine, but SELinux just isn't a feasable way to do that unless
> > you have an SELinux guru on call to set up and maintain your system.
> I had it off in FC3, targetted in FC4, and now with FC5 I am going to try to
> inflict mls on myself, on one of my machines.
> I like targetted because it makes running publicly accessible daemons
> a bit safer (and FC5 adds some other stuff there). However, I do use perl
> scripts that need to be able to access a local database server or a remote
> site and I keep projects in nonstandard directories, so I need to tweak
> contexts. I still haven't figured out the best way to handle not breaking
> things after a relabel.
> I have both an interest in security and a distrust of commercial software
> distributors (in particular game distributors) and would like to take the
> next step of not having any unconfined (well, not using the unconfined_t
> context) processes. And I figure I might as well go right to using the mls
> policy even though I don't have much use for hierarchical security levels
> at this time.
> But I figure their will be some pain in doing this. I need to learn how to
> efficiently get custom modules set up for applications, and need to figure
> out how I want to maintain these modules as well as nonstandard file context
Don't know much about writing custom policy modules from scratch, but
the context management should be easy enough using semanage.
For instance, to make /srv/softlib and everything underneath it have a
default context type of public_content_rw_t:
# semanage fcontext -a -t public_content_rw_t '/srv/softlib(/.*)?'
Allow Apache to listen on port 81:
# semanage port -a -t http_port_t -p tcp 81
It's currently possible to see the local changes you've made in this way
by looking at /etc/selinux/targeted/contexts/files/file_contexts.local
semanage doesn't change the contexts of existing files, it changes the
underlying policy. This means that changes made using semanage will be
effected if you use "restorecon" or do a full relabel.
More information about the users