[CentOS] SELinux - way of the future or good idea but !!!

Wed Jan 5 16:50:51 UTC 2011
Paul Johnson <pauljohn32 at gmail.com>

I quit using Fedora a couple of years ago, largely because I felt as
though I was being used as an SELinux guinea pig. I spent days and
says trying to work around selinux problems, until I eventually just
turned it off.

I'm not a professional sysadmin, but I know many of them who think
SELinux is still just not workable enough for actual production
systems.

I just installed the release version of RedHat 6 and wanted to use
mediawiki and a couple of other CGI php programs.  All of those
programs that require email capability via sendmail/postfix do not
work with SELINUX turned on.  Some programs are nice enough to pop up
a "sendmail failed" message, but not all.

type=USER_CMD msg=audit(1293752457.837:246): user pid=4383 uid=0
auid=500 ses=9 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
msg='cwd="/var/www/mediawiki116"
cmd=2F62696E2F7669204C6F63616C53657474696E67732E706870 terminal=pts/4
res=success'
type=AVC msg=audit(1293752692.348:247): avc:  denied  { search } for
pid=4583 comm="sendmail" name="postfix" dev=sda2 ino=150564
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:postfix_spool_t:s0 tclass=dir
type=SYSCALL msg=audit(1293752692.348:247): arch=c000003e syscall=80
success=no exit=-13 a0=7f44c0011cc0 a1=7f44c0013a00 a2=7f44c001827d
a3=7fff104b7710 items=0 ppid=4410 pid=4583 auid=500 uid=48 gid=48
euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=9
comm="sendmail" exe="/usr/sbin/sendmail.postfix"
subj=unconfined_u:system_r:httpd_t:s0 key=(null)

It is a known bugzilla, there's supposed to be some fix in the way,
but it has turned into such a big hassle for us here that we've turned
selinux down to PERMISSIVE mode, just so things will work.

SELINUX generates such a massive amount of output in /var/log/audit
that I would never be able to notice what fails and what doesnt, some
programs silently die with SELINUX rejects them.  For example, I
created a bunch of accounts in mediawiki that require email
confirmation. Use of sendmail was rejected, (silently), and so the
users's can't log in. Grrr.



-- 
Paul E. Johnson
Professor, Political Science
1541 Lilac Lane, Room 504
University of Kansas