On 1/7/2012 5:57 AM, Marko Vojinovic wrote:
On Saturday 07 January 2012 04:43:31 Bennett Haselton wrote:
On 1/7/2012 4:16 AM, Marko Vojinovic wrote:
IMHO, if a hosting company does that sort of things (especially turning off SELinux), I wouldn't touch them with a ten-foot pole. Who knows what else they might have customized, in their infinite wisdom... :-)
Care to share the name of that hosting company?
Virtually every hosting company I've ever bought a CentOS server from has had SELinux turned off by default. (So, a partial list would include FDCServers, Superb.net, SiteGenie, SecuredServers (ho, ho), AeroVPS (sells dedicated servers despite their name), Netelligent, ServerBeach and I don't remember all the others). Don't hold me to that list 100% since some might have changed their policies for new servers but it's pretty universal.
What hosting company sells sub-$100 unmanaged CentOS dedicated servers and *doesn't* have SELinux turned off?
I wouldn't know, I don't use such services (typically I have my production systems on my own hardware). And now that you say most of them turn SELinux off by default, I am discuraged to even consider having my system hosted by such companies... ;-)
As for the original question -- when the docs say that access is allowed only across "similar types", what determines what counts as "similar types"? How do you know for example that httpd running as type httpd_t can access /var/www/html/robots.txt which has type httpd_sys_content_t?
AFAIK, the interactions between various labels (ie. rules "who can access what") are determined by the SELinux targeted policy (the selinux-policy- targeted package). These rules evolve over time (the package sometimes gets updated and your filesystem autorelabeled to match), and IIRC they can get pretty complicated. You want to look inside that package to find all the rules.
OK. Is it easy to "look inside the package" and where would I look?
Well, a "rpm -ql selinux-policy-targeted" lists a whole bunch of files, mostly all residing under /etc/selinux/targeted/ directory. So you can take a look at what is in there. If that is not enough (ie. if you want to look "inside" the binary modules), you'll probably want to read the corresponding srpm. Use the Source, Luke! ;-)
Btw, your question is about some quite low-level-inside-guts of the SELinux policy. I cannot imagine why you would want to know the detailed relationships between labels, unless you are a SELinux developer. Or is it just curiosity?
I think it's because the doc page said "Access is allowed only between similar types" and I took that to mean that I should look at the type of a process and the type of a file to figure out if something was going to be allowed, if writing a script to do something unusual and hoping for it to work under SELinux.
However, maybe the more useful answer is that because SELinux's error reporting is so thorough and human-readable -- you can convert every error message into a mini-article using audit2allow or sealert, telling you exactly what to do -- that you don't need to code "defensively", you can just run a program, see what errors are logged, and look at the report to see exactly what needs to be changed. This takes some getting used to since SELinux is the only thing I've seen that comes with tools to explain its error messages so helpfully. Everything else, the error messages are usually so obscure that it's easier to code defensively and follow guidelines for what you know *will* work.
HTH, :-) Marko
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos