[CentOS] SELinux and access across 'similar types'

Marko Vojinovic vvmarko at gmail.com
Sat Jan 7 09:50:09 EST 2012


On Saturday 07 January 2012 05:39:15 Bennett Haselton wrote:
> On 1/7/2012 5:25 AM, John R. Dennison wrote:
> > On Sat, Jan 07, 2012 at 04:43:31AM -0800, Bennett Haselton wrote:
> >> Virtually every hosting company I've ever bought a CentOS server from
> >> has had SELinux turned off by default.  (So, a partial list would
> >> include FDCServers, Superb.net, SiteGenie, SecuredServers (ho, ho),
> >> AeroVPS (sells dedicated servers despite their name), Netelligent,
> >> ServerBeach and I don't remember all the others).  Don't hold me to
> >> that
> >> list 100% since some might have changed their policies for new servers
> >> but it's pretty universal.
> > 
> > Then these companies should be universally boycotted as it's pretty
> > evident that they don't place security at the top of the importance
> > stack.
> > 
> > People that don't run selinux deserve _everything_ they get and then
> > some.
> 
[snip]
> Apparently the marketplace favors hosting companies turning SELinux off
> because the failures it causes are too obscure and it causes too many
> support headaches.

Ignorance is bliss... ;-)

A hosting company should certainly have SELinux turned on by default. A 
customer who doesn't know how to handle it should be told to RTFM. If they 
don't want to deal with SELinux, they can easily turn it off themselves (at 
their own responsibility).

This is analogous to having a rent-a-car agency renting cars without safety 
belts, because "they are inconvenient for the users and most people don't put 
them on anyway". Being irresponsible cannot be justified with what marketplace 
does or does not favor.

> A non-changing-human-nature solution might be to
> notify the user directly when SELinux blocks something.  The GUI
> apparently already does this via a dialog box when viewing a desktop;
> perhaps there's a way to do it on the command line too.  (When the user
> runs something that's blocked by SELinux, just send a message to the
> terminal saying "SELinux blocked this", or something.  Would be a start.)

Sometimes there is a message on stderr about "permission denied" or such. But 
in general every AVC denial is written in /var/log/audit/audit.log. There are 
also setroubleshootd and sealert, to help you "translate" the AVC denial into 
something more user-friendly, and suggest what to do about it.

HTH, :-)
Marko




More information about the CentOS mailing list