[CentOS] SELinux and access across 'similar types'

Wed Jan 11 13:24:41 UTC 2012
Ljubomir Ljubojevic <office at plnet.rs>

On 01/11/2012 03:07 AM, Les Mikesell wrote:
> On Tue, Jan 10, 2012 at 3:50 PM, Daniel J Walsh<dwalsh at redhat.com>  wrote:
>>>>
>> That is not the way it works.  SELinux Reference policy is a database
>> of rules that govern the default ways application run.
>
> Yes, but it is application developers that know what their
> applications need to do.  Is there a way for them to express that?
>
>>    These rules
>> that have been written for Fedora/RHEL are public and are being moved
>> upstream.
>
> There has to be a better approach than letting the Fedora guys
> second-guess where application components should live, then
> second-guess what the application needs to do.   In fact, that sounds
> like a recipe for years of problems for everyone who uses the results.
>
>>   Different Distributions can choose to use these policies or
>> write there own.
>
> So after the Fedora version of second-guessing, that gets pushed off
> to other distributions to likely make it even worse?

Other distros use those policies as an template and customize them if 
necessary.

>
>>   Out of the Reference Policy you can build your own
>> version of targeted or MLS policy or you can write your policy from
>> scratch.
>
> But is there a way that these can originate from the group that
> manages the application, and appear automatically as a result in
> distributions that include the application or if you compile from the
> source distribution?

There are distributions that do not even have /proc. There are meny 
differences where things are placed between Debian-like and Fedora-like 
distros. But in all cases/distro's you have a designated package 
maintainer that knows what needs to be done, and probably already has 
patches prepared.

App developers only need to know to code/develop the app, why burden 
them with knowledge about every single distro difference?

And what about if a distro decides to change something inside the 
distro? Every single Linux developer in the world has to be notified and 
learn about the new way?

>
>> The place that SELinux breaks applications is when an application does
>> something that SELinux did not expect.

This can not happen with packages of apps prepared by Fedora developers. 
They know where to put stuff, and they also maintain SELinux policies. 
Problem arises with third-party packed apps or install from source.

>
> Well, of course.   The issue is how SELinux is supposed to learn from
> the person who does know what the application is going to do.  I don't
> run an OS distribution to what a distribution does, I run it so it
> does what the application is supposed to do.  That is, the application
> is the point, not what SELinux guesses it was supposed to do.
>
>> I wrote a paper and
>> presentation on the four main causes of SELinux issues.
>>
>> http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf
>
> Don't these all boil done to SELinux not understanding the application's needs?
>

SELinux is basically a police officer. So what about people flying by 
plane that need some medicine that can be confiscated by airport 
authorities on both airports/countries? They also do not know your need 
and need to be explained, right?


-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant