Removing run-time disabling for SELinux in Fedora

Posted Sep 24, 2020 9:08 UTC (Thu) by MKesper (subscriber, #38539)
In reply to: Removing run-time disabling for SELinux in Fedora by rwmj
Parent article: Removing run-time disabling for SELinux in Fedora

That's still much work, though, sadly.

Removing run-time disabling for SELinux in Fedora

Posted Sep 24, 2020 10:41 UTC (Thu) by james (subscriber, #1325) [Link] (1 responses)

Couple of minutes' work, maybe? And, in my experience, the resulting rules are comprehensible, showing you what you are allowing and giving you a chance to check that the program does actually need that access.

The example given in the documentation is

allow certwatch_t var_t:dir write;

which is pretty clear even if you aren't very familiar with SELinux.

Also, SELinux in Fedora/CentOS mostly restricts sensitive OS-type programs: big user programs like LibreOffice are extremely unlikely to encounter problems.

(I wonder how many counter-examples I'm going to get...)

Removing run-time disabling for SELinux in Fedora

Posted Sep 24, 2020 12:56 UTC (Thu) by jmclnx (guest, #72456) [Link]

But for people just getting exposed to SELinux, it is not a few minutes work.

I have spent 3+ days trying to get vnstatd active using "audit2why", "audit2allow", "checkmodule", "semodule_package" and "semodule" (plus many others) and it still fails.

I am NOT asking for help on this, but I am pointing out how hard it is to work with SELinux. The documentation is extremely complex and seems one must spend many weeks reading and re-reading docs to even figure out how to do the simplest task.

I really want to keep it active, at least I know it can be very useful, but getting items to work is quite hard.