SE Linux lacks proper user notification for security violations

Tracy R Reed treed at ultraviolet.org
Sat Jun 25 08:23:04 UTC 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello all!

Yesterday I ran into a very odd problem which I think highlights a
serious weakness in the current selinux implementation. A newbie
linux/web developer was testing a perl based cgi on his fedora box. If
he put the cgi progran in /var/www/cgi-bin it would not produce any
output nor error messages. It just seemed to exit. If he ran it from his
~/ it produced the expected output. It took me a good 15 min of
scratching my head over this before I realized this must be an selinux
thing due to the context of the cgi-bin dir and of course I was right.

This highlights a serious concern of mine: Lots of time is being wasted
tracking down strange problems because the only place SE Linux has to
report security errors is in dmesg and the system log. When the cgi
program would not produce any output at all it was not even obvious that
it was a security problem. This is not acceptable for general use. My
users won't think to check the system log for possible security policy
violations relating to their activities and even I often forget to do it
because security policy violation is often not the first thing that
comes to my mind when something like this happens. And even if we do
think of it, we should not have to go check the logs every time
something odd happens suspecting SE Linux. It should be immediately obvious.

Traditionally when there is a security policy violation you get a
"permission denied" on the tty. We have got to find a way to make an
error appear on the tty associated with the process that caused the
violation. I think I am going to look into setting up syslog to log all
such security messages to all tty's until I can find a better solution.

But what is the better solution? I suspect that now that we have a very
granular way of specifying security policy we will need a more granular
way to report errors back to the user.

I am having a rather difficult time selling SE Linux in my business due
to issues like this. People really hate it when this cool new security
feature causes things to fail in dark and mysterious ways. I have been
forced to disable it on all of our machines lest we have a developer
uprising.

- --
Tracy R Reed
http://ultraviolet.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCvRRn9PIYKZYVAq0RAvsvAJ4xRlOfEIcgYPPoVwEKOuRqOr6z7QCfQvcm
XVkZUwoM8+2ot0Neg15RkYA=
=W6Qq
-----END PGP SIGNATURE-----

More information about the selinux mailing list