Tim ignored_mailbox@yahoo.com.au wrote:
Sent: Aug 31, 2010 5:30 AM To: Community support for Fedora users users@lists.fedoraproject.org Subject: Re: SELINUX
On Tue, 2010-08-31 at 00:15 +0000, JB wrote:
Well, if selinux is the best that happened to security since sliced bread, then why people make these comments ?
Because people like to bitch, particularly the ignorant ones.
Maybe because SeLinux is harder than hell to configure, if your favorite application is not already configured. This is BY DESIGN to prevent 'ordinary' users from mucking around in it.
Why do security people think they have the ability to dictate to application writers that they use specialized API's or write arcane security policies?
Gee, that's a tough one. Probably because security people know more about security than non-security-aware programmers...
Bingo. Maybe it is also so that they write more secure code as well.
If you are on the Internet, SeLinux is a great product which is designed to give you enhanced, but not perfect, security.
Now that's my dime on this. I don't run SeLinux, my system is not networked. That is MY decision. If it ever becomes networked, SeLinux, ip tables and a bunch of other stuff is going on it first.
James McKenzie SSCP 367830
On Tuesday, August 31, 2010 15:34:42 James Mckenzie wrote:
Tim ignored_mailbox@yahoo.com.au wrote:
On Tue, 2010-08-31 at 00:15 +0000, JB wrote:
Well, if selinux is the best that happened to security since sliced bread, then why people make these comments ?
Because people like to bitch, particularly the ignorant ones.
Maybe because SeLinux is harder than hell to configure, if your favorite application is not already configured. This is BY DESIGN to prevent 'ordinary' users from mucking around in it.
Yea, sure, can you imagine, one needs to know how to use no less than *two* commands --- chcon and semanage --- this is waaay beyond the capabilities of any mortal sysadmin... And reading their dreaded man pages, oh my, I get scared just thinking about trying to read them...
There is a saying from where I come from --- people are not divided into competent and incompetent, but into whiners and non-whiners.
Best, :-) Marko
On Tue, Aug 31, 2010 at 17:55:32 +0100, Marko Vojinovic vvmarko@gmail.com wrote:
Yea, sure, can you imagine, one needs to know how to use no less than *two* commands --- chcon and semanage --- this is waaay beyond the capabilities of any mortal sysadmin... And reading their dreaded man pages, oh my, I get scared just thinking about trying to read them...
restorecon and semanage are a safer combination.
On Tuesday, August 31, 2010 17:59:06 Bruno Wolff III wrote:
On Tue, Aug 31, 2010 at 17:55:32 +0100, Marko Vojinovic vvmarko@gmail.com wrote:
Yea, sure, can you imagine, one needs to know how to use no less than *two* commands --- chcon and semanage --- this is waaay beyond the capabilities of any mortal sysadmin... And reading their dreaded man pages, oh my, I get scared just thinking about trying to read them...
restorecon and semanage are a safer combination.
Of course, you're right.
When I first tried to manipulate contexts, chcon was a natural choice to learn about, because it was analogous to chown, chgrp and chmod. And once I developed a habit of using it, well... ;-)
Best, :-) Marko
On 31 August 2010 10:21, Marko Vojinovic vvmarko@gmail.com wrote:
On Tuesday, August 31, 2010 17:59:06 Bruno Wolff III wrote:
On Tue, Aug 31, 2010 at 17:55:32 +0100, Marko Vojinovic vvmarko@gmail.com wrote:
Yea, sure, can you imagine, one needs to know how to use no less than *two* commands --- chcon and semanage --- this is waaay beyond the capabilities of any mortal sysadmin... And reading their dreaded man pages, oh my, I get scared just thinking about trying to read them...
restorecon and semanage are a safer combination.
Of course, you're right.
I mostly use,
# chcon --reference /some/similar/file <file>
Best, :-) Marko
On Tue, Aug 31, 2010 at 10:23:48 -0700, suvayu ali fatkasuvayu+linux@gmail.com wrote:
# chcon --reference /some/similar/file <file>
The problem with using chcon is that you don't test if a relabel will break things. For the most part you want to set the new labelling pattern with semanage and then apply the pattern with restorecon. There are a few exceptions where things with some patterns get left the way they are and for those cases chcon makes sense to use.
Hi Bruno,
On 31 August 2010 13:21, Bruno Wolff III bruno@wolff.to wrote:
On Tue, Aug 31, 2010 at 10:23:48 -0700, suvayu ali fatkasuvayu+linux@gmail.com wrote:
# chcon --reference /some/similar/file <file>
The problem with using chcon is that you don't test if a relabel will break things. For the most part you want to set the new labelling pattern with semanage and then apply the pattern with restorecon. There are a few exceptions where things with some patterns get left the way they are and for those cases chcon makes sense to use.
Thanks for your comments. Despite my ill informed usage I guess I didn't run into problems since my use case is to apply contexts for new non-existent configuration files or to restore contexts after I have edited them with emacs. (btw, emacs 24 supports selinux now, I have been compiling it from source just to keep using emacs while editing conf files :-p )
I'll try to read up more and follow the recommended way.
-
Bruno Wolff III -
James McKenzie -
Marko Vojinovic -
Suvayu Ali