SELINUX

Marko Vojinovic vvmarko at gmail.com
Tue Aug 31 21:16:37 UTC 2010 

On Tuesday, August 31, 2010 21:18:16 Erik P. Olsen wrote:
> On 31/08/10 11:22, Alan Cox wrote:
> > Do you understand the details of how your airbag system works, or how
> > your ABS braking works. Can you model the crumple zones of a car, or do
> > you just get in and put up with the little safety inconveniences like the
> > weight of the doors, the length fo the vehicle, the seatbelts ?
> 
> Why do people always pick examples of features with easy user interface
> when the fact with selinux is that the user interface is totally
> incomprehensible for the ordinary home user. I for one disable selinux
> because I don't want to waste time with learning how to use it.

The user interface of SELinux is the most trivial one possible --- it is 
supposed to Just Work, completely transparently. An ordinary user should never 
get into a situation to ever interact with SELinux policy.

If you do get an AVC denial and a warning in the system tray, something is 
*wrong* with the machine. Either you are trying to do something you shouldn't, 
or someone else is. In both cases you are better off investigating what went 
wrong and correcting the cause of the denial, rather than modifying the policy 
to allow the rouge access.

The analogy with ABS would be you trying to tinker with the wheel lock-up 
detection system in order to tweak it to work differently (and probably less 
safe then the factory default). The user interface for that simply doesn't 
exist on an ABS system, and you need detailed technical knowledge on how to 
tinker with it. And as a regular user you should never do that.

SELinux is the same --- in normal usage you simply don't interact with it. 
That is the easiest "user interface" imaginable. If you want to tinker with 
it, you need detailed technical knowledge on how to do it.

The issue here is that a lot of people are used to the *wrong* idea that 
SELinux is the one needing adjustment when something goes wrong. Today this is 
rarely the case (was more frequent in the past, but not anymore), and you 
should file a bugzilla if it happens. What typically needs adjustment is the 
cause of the AVC denial, ie. the program that caused the denial, or the user 
who is manipulating the program and files in a wrong way.

How many times did you get into a situation to execute some command, only to 
be responded with a "permission denied, you are not root" kind of message? 
When that happens, who is at fault? Do you go change the permissions of 
relevant files to allow access to yourself, or do you understand that you are 
trying to do something in the wrong way, and adjust your own behavior?

Some people like logging in as root and having root privileges all the time, 
because of the illusion that it is easier. But aside from some special cases, 
that is very well known to be a Bad Idea. Ditto for disabling SELinux.

And in regular use, you just shouldn't need to adjust SELinux policy, and 
therefore should not need any user interface for it. Anything else is a bug, 
and nowdays typically not in the policy but somewhere else.

Best, :-)
Marko

More information about the users mailing list