[CentOS] SELinux and access across 'similar types'

Les Mikesell lesmikesell at gmail.com
Wed Jan 11 02:07:51 UTC 2012


On Tue, Jan 10, 2012 at 3:50 PM, Daniel J Walsh <dwalsh at redhat.com> wrote:
>>>
> That is not the way it works.  SELinux Reference policy is a database
> of rules that govern the default ways application run.

Yes, but it is application developers that know what their
applications need to do.  Is there a way for them to express that?

>  These rules
> that have been written for Fedora/RHEL are public and are being moved
> upstream.

There has to be a better approach than letting the Fedora guys
second-guess where application components should live, then
second-guess what the application needs to do.   In fact, that sounds
like a recipe for years of problems for everyone who uses the results.

> Different Distributions can choose to use these policies or
> write there own.

So after the Fedora version of second-guessing, that gets pushed off
to other distributions to likely make it even worse?

> Out of the Reference Policy you can build your own
> version of targeted or MLS policy or you can write your policy from
> scratch.

But is there a way that these can originate from the group that
manages the application, and appear automatically as a result in
distributions that include the application or if you compile from the
source distribution?

> The place that SELinux breaks applications is when an application does
> something that SELinux did not expect.

Well, of course.   The issue is how SELinux is supposed to learn from
the person who does know what the application is going to do.  I don't
run an OS distribution to what a distribution does, I run it so it
does what the application is supposed to do.  That is, the application
is the point, not what SELinux guesses it was supposed to do.

> I wrote a paper and
> presentation on the four main causes of SELinux issues.
>
> http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf

Don't these all boil done to SELinux not understanding the application's needs?

-- 
   Les Mikesell
     lesmikesell at gmail.com



More information about the CentOS mailing list