Change request: SELinux tweaks.
lmacken at redhat.com
Fri Nov 21 21:01:29 UTC 2008
On Fri, Nov 21, 2008 at 02:17:53PM -0600, Mike McGrath wrote:
> On Fri, 21 Nov 2008, Luke Macken wrote:
> > Attached are some patches that will fix many AVC's that are currently
> > happening within our infrastructure.
> > Patch 0010-Fix-our-semanage_fcontext-function-to-work-on-symlin.patch
> > /should/ fix the problem introduced in
> > 41acfbc83c80d12d915a0d6087e841aba2c7e78c that caused restorecon to flip
> > out when trying to apply context to a symlink.
> > The rest should all be fairly straight-forward fixes that involve
> > flipping booleans, setting context, and creating custom policy modules.
> > Apologies for the binary blobs in the diffs :)
> What is the impact of actually implementing these changes? Also whats the
> risk if stuff goes horribly wrong?
These changes will greatly decrease the amount of SELinux AVCs
generated, and in the case of bastion will also decrease the number of
prelude alerts being sent to our prelude-manager. Since we're
in permissive mode, all AVCs are essentially harmless, but we need to
fix them to not only move forward with our SELinux deployment, but also
for the IDS deployment as well (we currently have too many AVCs for our
audit-driven prelude IDS to be useful).
The only thing I can think of that could go "horribly wrong" is if patch
0010 does not fix the symlink issue, and it would trigger a 'restorecon
-R /', which would only cause a little bit of disk churn. When these
are applied, I will manually run puppet on our hosted machine to ensure
that the symlink issue is properly fixed.
Other than that, these changes should be completely transparent.
More information about the infrastructure