[CentOS] SELinux and access across 'similar types'

Wed Jan 11 20:22:47 UTC 2012
夜神 岩男 <supergiantpotato at yahoo.co.jp>

On 01/12/2012 04:49 AM, Les Mikesell wrote:
> On Wed, Jan 11, 2012 at 1:23 PM, Lamar Owen<lowen at pari.edu>  wrote:
>> On Wednesday, January 11, 2012 01:22:05 PM Les Mikesell wrote:
>>> I don't think of myself as a 'normal user', but I still don't
>>> appreciate it when a distribution goes out of its way to arbitrarily
>>> modify and break what application developers spent years designing and
>>> writing.
>>
>> SELinux does not 'go out of its way' to 'break' anything; rather, SELinux enforces a deny by default 'need to access' policy.
>
> Yes, the breakage came from having someone who didn't understand the
> needs define that policy.

I think you are misunderstanding how SELinux policies are formed and how 
they work. Its a *lot* less complicated and mysterious than you're 
making it sound. For most applications its really, really easy to do this.

>> If you need to special-case stuff, then you need to do an analysis of the special cases you need to create; this is what a testing server running SELinux in permissive mode is for, as there is no better analysis of what SELinux needs than SELinux in permissive mode loggin what your application is using.  Get the logs and run audit2allow and package that as a piece of your applications' SELinux policies.
>
> So if an application only needs to do something once at some future
> time, what happens?  If you write an application that will need to do
> something at some rare future time, what is the standard way to tell
> distribution packaging systems and system administrators to permit it?

I'm trying to think of a single example (that isn't a worm) that fits 
this description.

Can you think of any examples? (again, worms don't count... actually, 
that is sort of the point here...)

>> That is new, but it isn't very hard.
>
> Doesn't that really depend on what the application needs to do?

No, there are tools that do almost all the work for you. Its much easier 
than learning how to write a spec file in the first place. At this point 
it sounds like you're just arguing against something you're refusing to 
find out more about -- which is the standard human policy towards 
SELinux, so you're in good company (it used to be the standard human 
policy toward ipchains back in the day, too).

You can just turn it off if it bothers you so much.