Selinux
Bill Davidsen
davidsen at tmr.com
Sun Nov 30 01:05:37 UTC 2008
Wolfgang S. Rupprecht wrote:
> Bill Davidsen <davidsen at tmr.com> writes:
>> That's a bit like asking how to turn off the burglar alarm so
>> break-ins won't be so noisy. The correct question is how to set
>> attributes correctly so google earth will run, and the answer may be
>> in the SElinux report, as it often is. Real the report and see if it
>> gives you a command to run which solves the problem.
>
> ;-)
>
> Good analogy, extra style points for making one feel guilty for
> turning off something that sounds like it should be a good thing to
> have on in general.
>
Much easier to have on in distribution configuration on servers, not doing
bizarre stuff. My mail, dns, dhcp servers run fine that way. Clients doing
unusual stuff, not so much.
> Each distribution, since I think FC4, I've tried to run selinux and
> after a short time decided it simply wasn't worth the trouble. On
> anything more complicated than a client-only, stand-alone system, I'd
> get low-probability failures creeping out of the woodwork forever.
> Selinux as currently delivered is a better DOS than any outside
> attacker has ever inflicted on WSRCC in the one and a half dozen years
> it has been on the net. (Now, I obviously still believe in chrooted,
> internet-faceing programs run as powerless per-daemon users, and I'm a
> firm stickler in no non-RSA/DSA remote logins. I just don't like my
> own system DOS-ing me randomly.)
>
> This time on F10 selinux lasted exactly 15 minutes. The first time I
> tried to log in as an NFS automounted user, I realized that things
> have gotten worse in terms of working for me out of the box. Sure I
> could fight the issue and use the selinux tools to adjust the
> permissions, but why bother, it is clear this hasn't been well tested
> and using selinux will be an uphill battle with a pre-alpha quality
> permissions database that I'll essentially be maintaining on my own.
>
Haven't done amd home directories since SonOS (yes, the old 68030 based SunOS
based on BSD), so I can't say, but having had similar issues bind mounting a
home directory I know what you mean, the stock selinux doesn't like that.
> I strongly suspect that Red Hat doesn't run with selinux enabled on
> their corporate machines. From how rickety everything still is, it
> just doesn't feel like they eat their own dog-food. How can NFS-ed
> home directories possibly not work if they did? Folks from RH are of
> course encouraged to tell me how wrong I am.
>
I haven't had any problems with system which permanently mount filesystem on
local disk. That's a good bit of my usage, and all my server usage, the only
thing worse than single points of failure is multiple single points of failure,
and proper redundancy is expensive.
I don't have an answer for your automount issue, my bind mount (in rc.local) is
followed by some selinux blessing, which I took directly from the warning in
active but not enforcing mode. After I sprinkle the mount with holy water it works.
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the users
mailing list