first encounters with SELINUX, with some suggestions

Russell Coker russell at coker.com.au
Tue Nov 23 01:53:40 UTC 2004 

On Tuesday 09 November 2004 23:12, Thomas Vander Stichele 
<thomas at apestaart.org> wrote:
> So I read some more of the howto.  There's a binary called audit2allow
> that could help me generate rules.  So I run it, restart apache a few
> times, but the binary doesn't print anything, not even with -v.  Maybe
> I'm using it wrong, but there's no way of finding out if I am.

Here are some uses of it:
dmesg|audit2allow 
audit2allow -d
audit2allow < /var/log/messages

Note that audit2allow only produces policy, you have to then include that in 
your policy tree and recompile.  To do that install 
selinux-policy-targeted-sources and put a file 
named /etc/selinux/targeted/src/policy/domains/misc/custom.te with your 
policy and then run "make -C /etc/selinux/targeted/src/policy load" to 
compile and load the policy.

> If all RH developers, who have "easy" access to the SELINUX
> people at Red Hat, were to use it, they'd have basic knowledge about it.
> When the next circle of developers - outside of redhat, but having links
> to inside - gets hit, they do the same.  And so on.
>
> It looks to me like the first circle is already completely broken, hence
> halting the dissemination of information and increasing the annoyance
> level outside of Red Hat.  It won't be long before sysadmins and users
> ignore the default and turn it off entirely.

There is no requirement that you learn about SE Linux from Red Hat employees.  
You can contact the Red Hat employees who work on SE Linux just as easily as 
any other Red Hat employee.

Send email to rcoker at redhat.com and I'll answer your questions about SE Linux 
and Fedora with the same priority that I would give to the same questions 
from a Red Hat employee.

If you want a good and fast response from me the best thing to do is to post 
to a mailing list (such as this one) and CC me on this address.  As you will 
notice I am a bit behind in my mailing list email, if your original message 
had been CC'd to me you would have had a reply a long time ago.

> I understand that FC3 is relatively fresh and that not everything can be
> in place from the start.
> I just want to get a good picture of where SELINUX is at and how to
> solve issues, so that I can try to fix stuff myself, and explain to
> other people.  Otherwise I'll just have to turn off SELINUX myself, and
> recommend the same to others when questions are asked about it.

SE Linux is in good shape technically.  The documentation is lacking, all the 
people who know the code are very busy doing coding.  That leaves a shortage 
of people who have the ability and time to write documentation.  Things are 
improving however, there is quite a bit of documentation going in other 
places, one is Linux Journal.  We should probably make a page of links to all 
reliable sources of information.  My web site has some of the needed links.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

More information about the devel mailing list