begin quoting Tracy R Reed as of Tue, Jul 26, 2005 at 10:15:56AM -0700: > Todd Walton wrote: > > In the latest issue of SysAdmin, there's an excellent article on > > SELinux and audit2allow. You can have SELinux disallow everything not > > Yes, I use audit2allow when I run into a problem. However it is still > rather complicated to know exactly where in the policy to add your > changes so they will take effect. I still screw it up half the time. > Another thing that bugs me is that applications are not aware of SE > Linux.
Why should applications be aware of SE Linux? I don't like the idea of applications changing behavior to adapt to my security policies... they should complain with useful error messages when denied access to a resource, and degrade gracefully. (Even uid-0 checks are troublesome. If I don't wanna run a program as root, why should the program force me to? Especially if I've arranged things so that it has read/write permission in all the places it needs?) > So they will sometimes behave strangely in ways that are not > obviously security related so you might not think that SE Linux is > denying something which causes a problem. You have to think to look in > the log file or dmesg to know if SE Linux is denying something. I once Yeah, getting feedback is annoying. Hm... perhaps pop up an xconsole-like window if the DISPLAY is set to report on the SELinux-related error messages when a program is run.... Although, that wouldn't be very useful for your example: > had an employee create a cgi in the cgi-bin dir of Apache. It would > refuse to output anything when you ran it. But if we copied the cgi to > the users homedir it would run just fine. Took quite a while to realize > that the cgi-bin directory is labelled with a special context and will > not allow many things to happen to protect the system from exploits in > cgi's. Perhaps better inspection tools as well? GUI _and_ CLI? -Stewart "Visualizing a filesystem as a graph of RBAC nodes" Stremler
pgpzPWeueCsNP.pgp
Description: PGP signature
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
