User: Password:
|
|
Subscribe / Log in / New account

Change is good when it brings worthy improvements, like security

Change is good when it brings worthy improvements, like security

Posted Jul 10, 2008 9:46 UTC (Thu) by rvfh (subscriber, #31018)
Parent article: SELinux and Fedora

Everything I read (article and comments) reminds me of a previous job where everybody had the
root password of our build server (I was the admin).

Once, someone typed reboot as root on the server instead of his target (both remote access),
and I took this opportunity to change the root password and not give it away, except to a
deputy and a manager (for obvious reasons).

Most colleagues didn't mind, but one was extremely worried of seeing some of his 'rights' go
away, and I told him that I would give him sudo access for anything he needed to do and could
not do as a normal user.

In the end, he never came asking for anything, because nothing he did required high
privileges, and I think it's a bit the same here. It's some kind of FUD.

Also, interestingly, people who report most issues seem to start by saying 'I worked with
Linux for the last two centuries blah blah blah...'  Yes, but this is changing things, so
indeed it brings new problems, and new solutions, and it does not matter that you are an
expert in this or that, you may also have to learn the basics of SELinux, just like you has to
learn the basics of VI, Bash, [add your own little admin tool here]


(Log in to post comments)

Change is good when it brings worthy improvements, like security

Posted Jul 10, 2008 20:04 UTC (Thu) by mrshiny (subscriber, #4266) [Link]

Amen: a new system requires new knowledge, and that's why SELinux isn't gaining user
acceptance.  That, and the fact that it's hard to use, so even admins can struggle with it.

Normal LS doesn't show the context of a file
It can be tricky to set up new labelling rules
Until recently it was really annoying to diagnose what was failing and why

Fedora 8 fixed this for me with the SEAlert applet.  Now when there is an SELinux failure on
my system I can see what is wrong, and what command I should run to allow the access that was
denied.  This helps a great deal.  What we need now is a tool which lets you, for a specific
program, generate new SELinux rules so that you can install something and have it just work.
For example, I like to run my HTTP doc-root in /home/httpd (I'm a hold-out from RH 6).  SELinux
makes this nearlly impossible.  I've given up on this and resorted to manually changing the
labels of files.  But given how arcane this is I can see why people still resist.

Change is good when it brings worthy improvements, like security

Posted Jul 15, 2008 22:09 UTC (Tue) by dpquigl (guest, #52852) [Link]

/usr/sbin/semanage fcontext -a -t httpd_sys_content_t '/home/httpd(/.*)?'
restorecon -R -v /home/httpd

That should fix your problem.

The first line tells the policy that all files under /home/httpd and the directory itself
should be labeled with httpd_sys_content_t. This will allow httpd access to it. The second
then relabels all of the files under that point so they are correct. Something to take note
of. If there is more explicit labeling rule on a file for instance /home/httpd/foo the above
line won't override it. So if you have a cgi directory under that point you can do something
along the lines of 

/usr/sbin/semanage fcontext -a -t httpd_sys_script_exec_t '/home/httpd/cgi/*'  it will label
everything under that with httpd_sys_script_exec_t and everything else will match the first
rule above. I might be wrong with the syntax on the regex but you get the idea. The more
explicit the path the more authoritative it is.

If you have any more problems feel free to email the fedora-selinux list and I'm sure you will
get a quick answer to your question and a solution to whatever problem you are having.

Change is good when it brings worthy improvements, like security

Posted Jul 15, 2008 22:15 UTC (Tue) by dpquigl (guest, #52852) [Link]

I also found on Dan Walsh's blog that there is a GUI for doing this as well.

"You can see similar functionality in system-config-selinux by selecting the 'File Labeling'
list item and then clicking on the 'Customized' button."

Change is good when it brings worthy improvements, like security

Posted Jul 17, 2008 3:45 UTC (Thu) by mrshiny (subscriber, #4266) [Link]

Thanks for the tip.  I had already gone down this road with the gui tool and found that
something didn't work properly and my attempts at manually setting this stuff failed.  I
eventually gave up and moved my doc root or just manually changed the context... I forget.  I
think I manually changed the context and I expect it to fail if the whole system gets
re-labelled.

It would be much easier for a sysadmin to be able to specify the document root in the apache
config file and have an selinux-aware tool say "gee, looks like you'll need to add these
se-linux rules... proceed? Y/N".  But at least much progress has been made with these tools
compared to Fedora 2.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds