selinux is a pain

[Tim]

On Tue, 2011-09-20 at 08:14 -0300, Martín Marqués wrote:
> I reinstalled (better hardware) a server and had selinux enabled (was
> disabled before), and I starting to see why so many people don't use
> selinux.

Let's clarify what you've written...  You are, now, trying to run a
system with SELinux enabled, that was previously running with it
disabled.  The same files on the drive, just changing the SELinux
setting.  Is that right?

If so, no wonder you're having grief.  While SELinux was off, your
system was writing files without setting any SELinux contexts.  So,
those files are just default files.  Now that SELinux is on, there's no
contexts written in the file attributes that would tell SELinux to allow
access, so the default (for safety) action is to disallow it.

On the other hand, if the system had been running with SELinux, all the
time.  Then all those files that were written to the drive would have
had the normal SELinux contexts applied to them.  So things should
simply "just work," barring the occasional error (e.g. someone forgot to
make a rule to set the right context; or the software programmer tried
to do something less than smart, expecting full access, when they
shouldn't be trying that).

Or, by re-install, do you mean that the system was installed with
SELinux running normally, and you installed your user files in the same
manner?  Then things should simply just work.  Though verbatim copying
over user files with (preset) default SELinux contexts would still be a
problem.

-- 
[tim at localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.