[CentOS] selinux stuff - I just don't get

Mon Nov 14 23:28:26 UTC 2005
Craig White <craigwhite at azapple.com>

On Mon, 2005-11-14 at 18:09 -0500, William L. Maltby wrote:
> On Mon, 2005-11-14 at 16:01 -0700, Craig White wrote:
> > On Mon, 2005-11-14 at 17:46 -0500, William L. Maltby wrote:
> > > On Mon, 2005-11-14 at 08:37 -0700, Craig White wrote:
> > > > On Mon, 2005-11-14 at 08:29 -0200, Giovanni P. Tirloni wrote:
> > > > > Craig White wrote:
> > > > > ><snip>
> > > 
> > > > I don't know if this stems from my compiling my own appletalk and
> > > > megaraid modules or some other stupid thing that I have done and thus
> > > > somehow wasn't covered in the upgrade from 4.1 to 4.2 or if everyone who
> > > > upgraded from 4.1 to 4.2 sees these messages in their logs.
> > > > 
> > > 
> > > I also received these new messages in the message log. Did what Peter
> > > Farrow suggested and the messages stopped after reboot.
> > > 
> > > From rom my quick scanning of the docs we were pointed to, I saw no
> > > *obvious* solution jump out at me. I'm begging to suspect that there is
> > > a user or domain addition needed to prevent the messages.
> > > 
> > > But that's only suspicion until I do more research, if I do.
> > ----
> > No - are you having the problem? do you want the solution?
> > 
> > Craig
> > 
> > 
> I was hoping that you might p[ost or offer it. Yes, I would enjoy that.
> I'm a big believer in .... >:-)  Philosophy almost started.
> 
> Please post the solution. I was having the same messages you complained
> about. Peter's solution suppressed the messages, but I planned on "doing
> the right thing" at some point when I could read, understand, ...
> 
> TIA
> 
> BTW: Don't be too hard on folks about the philosophy things, al;though
> it is an inconvenience for the more pragmatic among us. I have never
> seen a good tech list that doesn't have them.
----
I was a bit ticked off about it actually. I asked a simple question
about the messages I was getting and find 30 messages debating the value
of selinux on my thread and one response to tell me to look at the
documentation that I had read through a million times and understood
very little.

It probably wouldn't have been so bad if the topic hadn't been debated
monthly and the same people saying the same things and thus no
enlightenment.

Anyway...the solution...(Note - I also included my solution to MySQL)
for the record...

# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing - SELinux security policy is enforced.
#       permissive - SELinux prints warnings instead of enforcing.
#       disabled - SELinux is fully disabled.
SELINUX=Enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
#       targeted - Only targeted network daemons are protected.
#       strict - Full SELinux protection.
SELINUXTYPE=targeted

# yum install selinux-targeted-policy-sources

# cat /etc/selinux/targeted/src/policy/domains/local.te
## http to mysql
allow httpd_t initrc_t:unix_stream_socket connectto;

## dbus
allow unconfined_t initrc_t:dbus send_msg;

# cd /etc/selinux/targeted/src/policy
# make reload

Now all of those arrogant people who want to just shut off SELinux
because they either:
a. Feel they can secure their systems without it
b. Don't understand enough of it to justify using it
c. Can't be bothered

Please don't advise people to just shut it off. Tell them to set SELinux
to 'permissive'

You may all resume your debate now...              ;-)

Trust me it won't solve anything.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.