[CentOS] SELinux - way of the future or good idea but !!!

Tue Dec 7 19:44:21 UTC 2010
Daniel J Walsh <dwalsh at redhat.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/07/2010 01:13 PM, m.roth at 5-cent.us wrote:
> Daniel J Walsh wrote:
>> On 12/07/2010 12:46 PM, m.roth at 5-cent.us wrote:
>>> Daniel J Walsh wrote:
>>>> On 12/07/2010 11:59 AM, Benjamin Franz wrote:
>>>>> On 12/07/2010 08:12 AM, Daniel J Walsh wrote:
>  <mvnch>
>>> What have you done for folks who have third-party software, either F/OSS
>>> or COTS, or in-house developed stuff, *none* of which was written with
>>> selinux in mind, and is *not* going to be rewritten any time soon?
>>> You've seen me on the selinux list, and I have yet to figure out why I
> see the
>>> complaints about contexts, since they *appear* to be temp files, and I
>>> don't know where they're located, or where the CGI scripts are that
>>> create them are, and *all* of it's got the added complexity that some
> of that
>>> are on NFS-mounted directories.
>>
>> We have attempted to work with them, setup default labeling for them
>> when we know about the problems, embarrass them when they say you need
>> to disable SELInux.  Red Hat is working on new developer tools to help
>> third party developers work on RHEL systems.   I am not sure what else I
>> can do to get them to work with the security systems in place on RHEL.
> 
> Ok, it's good to know you are thinking about that. How 'bout a tool, point
> it at a directory, and it reports only the files/directories that are
> default, or break policy, or that *might* suggest where there's a problem
> (scripts in this directory will write default_t if they run anywhere but
> /here/ohly/, etc?
> 
>         mark
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
I think you would need to further explain.  We can tell you what file
directory is mislabeled

# restorecon -R -N -v  PATH

We can tell which types have access to which types

seseach -A -s httpd_t -t default_t

Are you looking for something like

What access does /usr/bin/httpd have to /myweb/html?
What types does /usr/bin/httpd have write access to?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkz+jpEACgkQrlYvE4MpobM/ZwCg1eA8BXjjcevAUfPiMHVXyyvj
GAsAoIAroEzhxQEnhPb9Dnhinof1yV55
=/hYg
-----END PGP SIGNATURE-----