On Tue, 2010-05-25 at 23:36 -0400, Whit Blauvelt wrote: > On Tue, May 25, 2010 at 09:09:33PM -0500, Jay Leafey wrote: > > > In your case, there should have been AVC errors showing up in the > > audit log related to smbd. Using restorecon to fix up the security > > context on the files in /etc/samba might have resolved the issue > > quickly... but I guess the trick is having run across it before, eh? > > Thoughtful advice. Thanks. Is there some method to duplicate basic > configuration files across selinux servers without running restorecon for > each set of files that's copied over - that is, to copy them with their > selinux labels intact? > > >From this limited example, it looks like selinux gets in the way of standard > administrative tasks, yet wouldn't be in the way at all of anyone who'd > acquired a shell within which they could run another shell and with that > call whatever program they like. > > I was just reading a review by Freeman Dyson of physicist Steven Weinberg's > new book, Lake Views. Dyson is impressed by Weinberg's argument that for > defense we often go to "glorified technologies" which don't really do for us > what we expect. For example, mounted knights, which were the expensive high > tech approach to war of their time, more often than not lost to peasants > with pikes. The list goes on from there, right up to the present. > > In it's modest way, selinux would fit right into that record. It's complex > and shiney and expensive to maintain (hell, it's competitor is even called > "AppArmour" - armour?). But is it as essentially useless in real combat as > mounted knights were against a line of men with spears? Or as today's > wishful and extravagant missile defense? ---- you can't make a useful argument out of ignorance. If you don't want to use SELinux, then disable it. Otherwise, learn to understand how it operates and deal with it. one certain way to cause issues with SELinux is to copy files created in other directories or other computers onto another computer because it will not have the proper security contexts so the way to fix that is to make sure your policy files are all up to date and then relabel your file system which should set the contexts to their proper labels. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.