[CentOS] selinux stuff - I just don't get

Bryan J. Smith thebs413 at earthlink.net
Tue Nov 15 01:02:20 UTC 2005

On Mon, 2005-11-14 at 16:28 -0700, Craig White wrote:
> I was a bit ticked off about it actually. I asked a simple question
> about the messages I was getting and find 30 messages debating the value
> of selinux on my thread and one response to tell me to look at the
> documentation that I had read through a million times and understood
> very little.

Actually, there were a few "disable" responses, nothing big, but nothing
too negative.  Then Peter got on his high horse so I, of course, had to
get on a higher one (you know me ;-).

I think you pegged it on the nose, the Fedora topic-specific lists tend
to be far more helpful.  God knows I learn a lot just from lurking on
various lists -- from x86-64 to DeviceMapper to SELinux.

> It probably wouldn't have been so bad if the topic hadn't been debated
> monthly and the same people saying the same things and thus no
> enlightenment.

I agree.  I could have summarized my comments in 1-2 posts, instead of
the tit-for-tat.  My apologies.  I did wait initially, because most of
the posts were just "disable" and left it at that.  But once I see more
"absolutist" attitudes, I tend to cop one myself.

I like to think my analogy to a firewall is fairly accurate.  SELinux is
like a deny all outgoing firewall -- it's just going to break things no
matter what you do.  If you put it in permissive mode, like an allow all
outgoing, less things are going to break -- and less things need to be

Targeted is more like disallowing certain protocols from getting out.
It's what most people choose when they really don't have time to deal
with testing.  But some things will always break, _regardless_ of what
is and isn't enabled -- even if just part of the system is enabled.

> Anyway...the solution...(Note - I also included my solution to MySQL)
> for the record...
> # cat /etc/selinux/config
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> #       enforcing - SELinux security policy is enforced.
> #       permissive - SELinux prints warnings instead of enforcing.
> #       disabled - SELinux is fully disabled.
> SELINUX=Enforcing
> # SELINUXTYPE= type of policy in use. Possible values are:
> #       targeted - Only targeted network daemons are protected.
> #       strict - Full SELinux protection.
> SELINUXTYPE=targeted
> # yum install selinux-targeted-policy-sources
> # cat /etc/selinux/targeted/src/policy/domains/local.te
> ## http to mysql
> allow httpd_t initrc_t:unix_stream_socket connectto;
> ## dbus
> allow unconfined_t initrc_t:dbus send_msg;
> # cd /etc/selinux/targeted/src/policy
> # make reload
> Now all of those arrogant people who want to just shut off SELinux
> because they either:
> a. Feel they can secure their systems without it
> b. Don't understand enough of it to justify using it
> c. Can't be bothered
> Please don't advise people to just shut it off. Tell them to set SELinux
> to 'permissive'

And I think that's the best suggestion.  It gives you a lot of the
warnings, and is good for post-compromises (when they do occur).

> You may all resume your debate now...              ;-)
> Trust me it won't solve anything.

You're right, as usual Craig.  I'll work on making my points in 1-2
posts and leave it at that.

Bryan J. Smith     b.j.smith at ieee.org     http://thebs413.blogspot.com
The best things in life are NOT free - which is why life is easiest if
you save all the bills until you can share them with the perfect woman

More information about the CentOS mailing list