Re: SELinux de-mystified

2013-12-01 Thread Nico Kadel-Garcia
On Sat, Nov 30, 2013 at 3:31 AM, ToddAndMargo  wrote:

> Hi David,
>
>   Loved the article.  I understood all about the cartoons and
> the dogs and cats.  Perfectly done.  Unfortunately, when the
> real world kicked in: zoom, right over my head.
>
>   Who sets up these labels and how is that done?  Some GUI
> for this?

In theory, people like David, when creating RPM packages, incorporate
some guidelines. And in testing, one can set SELINUX to "permissive",
and record what violations are being reported. With that in hand, and
some system knowledge, you can tune the SELinux settings, update the
package installers, and go another round.

In practice? Few developers are willing to help write good packages,
and many completely ignore the File System Hierarchy, so they wind up
putting stuff in all *sorts* of places. And it winds up the RPM
authors'  problem to straighten out any SELinux conflicts. Our friends
upstream at Fedora and Red Hat are pretty good about it. But when
developing home or buisiness layouts with personnel who've not dealt
with it, it's usually easier to just turn SELinux off or set
permissive, and try to clean up if and when you have cycles.


Re: SELinux de-mystified

2013-11-30 Thread ToddAndMargo

On 11/13/2013 11:17 AM, David Sommerseth wrote:

Hi all,

As there has been a couple of SELinux discussions lately, I thought this
article could help explain better what SELinux is all about and why it's
such a great tool.

It's written by one of the core SELinux guys in Red Hat, Daniel Walsh
and illustrations by one of Fedora's UX designers, Máirín Duffy.

"Your visual how-to guide for SELinux policy enforcement"


Hope you'll enjoy the reading :)


--
kind regards,

David Sommerseth



Hi David,

  Loved the article.  I understood all about the cartoons and
the dogs and cats.  Perfectly done.  Unfortunately, when the
real world kicked in: zoom, right over my head.

  Who sets up these labels and how is that done?  Some GUI
for this?

-T

--
~~
Computers are like air conditioners.
They malfunction when you open windows
~~


Re: SELinux de-mystified

2013-11-13 Thread David Sommerseth
On 13. nov. 2013 20:26, John Musbach wrote:
> Maybe it's just me, but it seems like a serious failing of SELinux's
> efforts when most people I've encountered in the Linux world have the
> policy of just disabling SELinux in their images.

Not sure if this was intended as a fire torch or not, or I'm just being
a bit sensitive.

But I can turn it around:  IPv6 has been available for over a decade (if
not longer).  Is it a failure of IPv6 that so few enables IPv6 in their
networked environments?.  Of course not.  It's about convenience and
resistance of changing your attitude to new technologies.  But
eventually you're forced to take the step.

And it's been a similar situation with iptables (and firewalling in
Windows, for that matter).  People were mostly ignorant to the concept
of firewalling, until they realised they had to implement it to have a
more secure environment.  Is iptables (or firewalling) considered a
failure today?

During EL6 installation, there is no way you can disable SELinux.  It
needs to be done explicitly afterwards.  This is because SELinux is
considered to work so well most users really don't need to think about
it.  Seriously.

SELinux has also been available since EL4 and Fedora Core 3.  SELinux is
celebrating 10 years these days.  It's not something brand new, but it
is beginning to really gain traction.  These days even SEAndroid is on
the way (that is SELinux for Android).  SELinux has developed a lot, and
is far more easily available and usable today than it was 10 years ago.
 Please don't be afraid of it!

To all of you SELinux sceptic, I have only this to say: If you first
grasp the concept of labelling, SELinux isn't much more difficult than
what iptables used to be in the beginning.  And that article from Dan
Walsh gives a very easy to understand introduction to SELinux.

And seriously, unless you really have a really odd setup, SELinux will
in not give you any troubles in EL6.

I have set up roughly 20 different SL6.x servers the last years.  I
can't remember having had any real issues related to SELinux.  This has
been everything from LDAP servers, web servers (apache and nginx),
e-mail servers (both postfix+amavis+spamassasin and Zimbra), database
servers (both PostgreSQL and MySQL).  I honestly can't remember having
had much troubles with SELinux at all.

If SELinux did kick in, it was usually just to flip some SELinux
booleans (semanage boolean --list), modifying some network ports context
(semanage port --list) or adding some extra paths for correct file
labelling (semanage fcontext --list).  Changing those things are really
not more difficult than adding additional iptables rules.  And to figure
out if it is SELinux to blame:  grep denied /var/log/audit/audit.log

Really, stop disabling it!  Try it for real and embrace SELinux now!


kind regards,

David Sommerseth



> On Nov 13, 2013, at 2:17 PM, David Sommerseth 
>  wrote:
> 
>> Hi all,
>>
>> As there has been a couple of SELinux discussions lately, I thought this
>> article could help explain better what SELinux is all about and why it's
>> such a great tool.
>>
>> It's written by one of the core SELinux guys in Red Hat, Daniel Walsh
>> and illustrations by one of Fedora's UX designers, Máirín Duffy.
>>
>> "Your visual how-to guide for SELinux policy enforcement"
>> 
>>
>> Hope you'll enjoy the reading :)
>>
>>
>> --
>> kind regards,
>>
>> David Sommerseth
>>


Re: SELinux de-mystified

2013-11-13 Thread John Musbach
Maybe it's just me, but it seems like a serious failing of SELinux's efforts 
when most people I've encountered in the Linux world have the policy of just 
disabling SELinux in their images.


John Musbach
Jr. System Administrator
Symplicity

On Nov 13, 2013, at 2:17 PM, David Sommerseth  
wrote:

> Hi all,
> 
> As there has been a couple of SELinux discussions lately, I thought this
> article could help explain better what SELinux is all about and why it's
> such a great tool.
> 
> It's written by one of the core SELinux guys in Red Hat, Daniel Walsh
> and illustrations by one of Fedora's UX designers, Máirín Duffy.
> 
> "Your visual how-to guide for SELinux policy enforcement"
> 
> 
> Hope you'll enjoy the reading :)
> 
> 
> --
> kind regards,
> 
> David Sommerseth
>