SELinux on Fedora 17 - troubles, troubles, troubles, ...

Daniel J Walsh dwalsh at redhat.com
Thu Jul 19 13:41:51 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/19/2012 05:24 AM, Mateusz Marzantowicz wrote:
> Why is using of SELinux on Fedora (I don't have experience with other 
> distros) so painful from a regular user perspective?
> 
> I'm talking about situation in which after installing stock packages and 
> "just running" applications I'm spending more time with SELInux Alert 
> Browser than any other system management utility.
> 
> You'd probably say that it's my fault, that I messed up with selinux 
> settings (yes, I confess, I've enabled samba sharing on some of my 
> directories under home but I've done this based on official Wiki) but 
> actually I only followed instructions from alert browser. I've applied 
> custom policies for one or two files that I then removed after one or two
> hours.
> 
> I think that right now my system is as secure as with selinux disabled 
> because of all that modification that I've made. I'm not an idiot but I 
> really can't track all security policies that are active in my desktop 
> system used for daily work.
> 
> Do I really need to became security expert specialized in SELInux to use my
> system? I started reading about selinux design and configuration but I
> think it's a waste of time. My current selinux problem is caused by 
> systemd-tmpfiles trying to cleanup my /tmp dir where I copied some files 
> from home directory to play with and ... left them for automatic cleanup.
> Solution is obvious - remove files form /tmp manually but then autoremover
> mechanism provided by Fedora is redundant.
> 
> Is there a chance that someday users will use selinux without even noticing
> it's installed?
> 
> 
> Mateusz Marzantowicz
> 


Well you are complaining about two different problems, lets address them
separately.  Setting up samba with SELinux can be daunting, since SELinux does
not just allow samba servers to share all content on the system out of the
box.  You have to tell SELinux what you want to change.

Did you look at the man samba_selinux?  We now have over 400 man pages to
explain how SELinux interacts with different applications on a RHEL box.

You also might want to read

http://danwalsh.livejournal.com/30837.html

which might help you understand SELinux a little better.

As far as the /tmp problem with systemd-tmpfiles, this is a bug in the policy
that we are investigating.  Basically what is happening is we removed
something that caused a random leftover content in /tmp to become invalid and
the systemd-tmpfiles is not allowed to look at the content or delete it.  It
is probably just best if you delete the content and then SELinux will stop
complaining about it.

ls -lZ /tmp/pulse-* -d
drwx------. gdm    gdm    system_u:object_r:xdm_tmp_t:s0   /tmp/pulse-51xb22O5vXMk
drwx------. dwalsh dwalsh staff_u:object_r:user_tmp_t:s0   /tmp/pulse-cvPtFlQSQRNj


If one is unlabeled_t, then delete it.

If you have any problems with SELinux please open a bugzilla or come to
#selinux on freenode, there are people there to help you.




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAIDp4ACgkQrlYvE4MpobOHTQCdEhxJ1uNYpFqJszMyZaZ+zb5C
8yIAoK5eMAjqUhYw+c4Lkater3MPiL9x
=FeDk
-----END PGP SIGNATURE-----

More information about the users mailing list