Change request: SELinux tweaks.
Toshio Kuratomi
a.badger at gmail.com
Fri Nov 21 21:12:13 UTC 2008
Luke Macken wrote:
> On Fri, Nov 21, 2008 at 02:17:53PM -0600, Mike McGrath wrote:
>> On Fri, 21 Nov 2008, Luke Macken wrote:
>>
>>> Attached are some patches that will fix many AVC's that are currently
>>> happening within our infrastructure.
>>>
>>> Patch 0010-Fix-our-semanage_fcontext-function-to-work-on-symlin.patch
>>> /should/ fix the problem introduced in
>>> 41acfbc83c80d12d915a0d6087e841aba2c7e78c that caused restorecon to flip
>>> out when trying to apply context to a symlink.
>>>
>>> The rest should all be fairly straight-forward fixes that involve
>>> flipping booleans, setting context, and creating custom policy modules.
>>> Apologies for the binary blobs in the diffs :)
>>>
>> What is the impact of actually implementing these changes? Also whats the
>> risk if stuff goes horribly wrong?
>
> These changes will greatly decrease the amount of SELinux AVCs
> generated, and in the case of bastion will also decrease the number of
> prelude alerts being sent to our prelude-manager. Since we're
> in permissive mode, all AVCs are essentially harmless, but we need to
> fix them to not only move forward with our SELinux deployment, but also
> for the IDS deployment as well (we currently have too many AVCs for our
> audit-driven prelude IDS to be useful).
>
> The only thing I can think of that could go "horribly wrong" is if patch
> 0010 does not fix the symlink issue, and it would trigger a 'restorecon
> -R /', which would only cause a little bit of disk churn. When these
> are applied, I will manually run puppet on our hosted machine to ensure
> that the symlink issue is properly fixed.
>
How does patch 0010 fix the problem? It looks like trying to use this
on /git will still result in restorecon -R / being run.
-Toshio
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: OpenPGP digital signature
Url : http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20081121/d4b00ccd/attachment.bin
More information about the infrastructure
mailing list