[CentOS] SELinux - way of the future or good idea but !!!

Sun Nov 28 19:06:11 UTC 2010
Jorge Fábregas <jorge.fabregas at gmail.com>

On Sunday 28 November 2010 13:31:28 Benjamin Franz wrote:
> Worse - it doesn't always log what  it is doing in a way that you can figure
> out. Occasionally not at all. 

SELinux does have some rate-limiting capabilities built-in to avoid a flood of 
identical messages...so the "triggering-event to log ratio" is not 1 to 1.  I 
understand this may be confusing for troubleshooting purposes but you need to 
be aware of this.

> Once because an update to SELinux changed the labeling on an existing
> directory tree - blowing away my own applied labeling with no warning

When you apply custom labels to files many people forget that if there's a 
relabel involved (via /.autorelabel or manual filesystem relabel) all your 
custom labels are gone UNLESS you update your local policy contexts by doing:

semanage fcontext -a -t new_type_here 'regex_here'

> I've had several instances of SELinux breaking a previously stable 
> system after an update to SELinux or its policies. On about the same 
> number of machines. The most recent within the last year.

All our CentOS 5 servers have been running smooth with SELinux enabled.  I 
can't tell from previous versions since I always disabled it (I was 
intimidated by it until I decided to take SOME TIME to read about it and 
UNDERSTAND it).  Once you grasp the essentials isn't that of a big issue 
really.

If you are running the packages that come with your distro and you leave the 
stuff in their respective places (/var/www/html etc), you shouldn't be doing 
much tweaking.

In a nutshell, for me, when I suspect there is something related to SELinux 
involved I proceed as follows:

1) I'll check the logs to see if there's any AVC message. If there is...

2) I'll check if this is related to a mislabeled file. If it is, I'll fix the 
label.  If the file in question is on a standard place...a simple restorecon 
should work but if the file is in another place (non-standard location) I'll 
need to register that as a local customization to the file contexts (with 
semanage fcontext...)

3) If the label is correct for the file I'll check if there's a boolean to 
control (allow/deny) this action (example: there are booleans to allow ftp 
server to serve from home directories or not etc...)

4) If there is no boolean and I'm 100% the access is needed...I'll create a 
local custom-policy with audit2allow.

That's basically it.  

On the other hand, there are situations like, for example, our RHEL servers 
running Oracle databases. There's no way to run SELinux as Oracle won't 
support it. I heard they're working on it and in future versions they might 
support it (or maybe their current one I'm not sure).  In other cases where we 
use Symantec Netbackup (the client installed on all servers) we just needed to 
change some labels on some specific libraries and that was all.  Luckily this 
was well documented and there were some KB articles about this.

There has been a lot of progress with SELinux lately. I think you should 
reconsider your position and perhaps give it a try on the upcoming CentOS 6 
where the targeted policy is much matured.

Best regards,
Jorge