[CentOS] SELinux and access across 'similar types'

Sat Jan 7 17:41:03 UTC 2012
Marko Vojinovic <vvmarko at gmail.com>

On Saturday 07 January 2012 08:15:35 Bennett Haselton wrote:
> On 1/7/2012 6:50 AM, Marko Vojinovic wrote:
> > On Saturday 07 January 2012 05:39:15 Bennett Haselton wrote:
> >> Apparently the marketplace favors hosting companies turning SELinux
> >> off
> >> because the failures it causes are too obscure and it causes too many
> >> support headaches.
> > 
> > Ignorance is bliss... ;-)
> > 
> > A hosting company should certainly have SELinux turned on by default. A
> > customer who doesn't know how to handle it should be told to RTFM.
> 
> See what I wrote to John about "should-statements"... you can't change
> human nature, but you can make better defaults.

What do you mean by "better" defaults? Better for the user, or better for the 
hosting company? Better in terms of quality/security, or better in terms of 
ease of use?

There is no obvious "better" default, IMHO. This is about trading security for 
convenience, and if a hosting company puts convenience before security, they 
are doing a lousy job. Turning off SELinux is a choice that should be done by 
the *customer*, not by the hosting company.

I am still waiting for the day when SELinux will become completely mandatory, 
just as the owner/group permissions are today. ;-)

> > Sometimes there is a message on stderr about "permission denied" or
> > such. But in general every AVC denial is written in
> > /var/log/audit/audit.log. There are also setroubleshootd and sealert,
> > to help you "translate" the AVC denial into something more
> > user-friendly, and suggest what to do about it.
> 
> Yes, once you know that SELinux is the cause, the tools for diagnosing
> what to do are pretty helpful.  But what hosting companies care about --
> in terms of inconvenience to the user -- is that there's no easy way to
> find out for the first time that SELinux is the cause of something not
> working.
> 
> Hence the idea for having SELinux send messages to the terminal saying
> "SELinux blocked such-and-such".  There's probably some better way.

Well, when something gets blocked by iptables, that doesn't even get into a 
log, let alone interactive messages. An administrator needs to be intelligent 
enough to *guess* that the app doesn't work because some port might be closed 
by the firewall. That's even worse than the situation with SELinux, and nobody 
has ever "fixed" that one in decades. :-)

I guess it could be easily implemented, though. All AVC denials are being 
communicated via dbus, and can probably be caught and sent to a terminal as 
well. Read man audispd and related stuff --- I guess one can customize the 
relevant log daemon to send messages to the terminal too, in addition to the 
log file.

If you manage to customize it, send us the recipe, I guess it could be helpful 
for others as well. :-)

HTH, :-)
Marko