[CentOS] SELinux - way of the future or good idea but !!!

Tue Dec 7 18:13:35 UTC 2010
m.roth at 5-cent.us <m.roth at 5-cent.us>

Daniel J Walsh wrote:
> On 12/07/2010 12:46 PM, m.roth at 5-cent.us wrote:
>> Daniel J Walsh wrote:
>>> On 12/07/2010 11:59 AM, Benjamin Franz wrote:
>>>> On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
 <mvnch>
>> What have you done for folks who have third-party software, either F/OSS
>> or COTS, or in-house developed stuff, *none* of which was written with
>> selinux in mind, and is *not* going to be rewritten any time soon?
>> You've seen me on the selinux list, and I have yet to figure out why I
see the
>> complaints about contexts, since they *appear* to be temp files, and I
>> don't know where they're located, or where the CGI scripts are that
>> create them are, and *all* of it's got the added complexity that some
of that
>> are on NFS-mounted directories.
>
> We have attempted to work with them, setup default labeling for them
> when we know about the problems, embarrass them when they say you need
> to disable SELInux.  Red Hat is working on new developer tools to help
> third party developers work on RHEL systems.   I am not sure what else I
> can do to get them to work with the security systems in place on RHEL.

Ok, it's good to know you are thinking about that. How 'bout a tool, point
it at a directory, and it reports only the files/directories that are
default, or break policy, or that *might* suggest where there's a problem
(scripts in this directory will write default_t if they run anywhere but
/here/ohly/, etc?

        mark