[CentOS] SELinux and access across 'similar types'

Lamar Owen lowen at pari.edu
Wed Jan 11 19:23:21 UTC 2012


On Wednesday, January 11, 2012 01:22:05 PM Les Mikesell wrote:
> I don't think of myself as a 'normal user', but I still don't
> appreciate it when a distribution goes out of its way to arbitrarily
> modify and break what application developers spent years designing and
> writing.

SELinux does not 'go out of its way' to 'break' anything; rather, SELinux enforces a deny by default 'need to access' policy.  

I still remember when simple packet filtering firewalls first came out, and those with a 'default deny and allow only what you specify' policy were much more difficult to properly configure than those with a  'default allow and block only what you specify' policy.  Default deny is the correct way to firewall, but it does require much more work, as you need to know what your traffic actually looks like, and you may need to put in some 'helper' applications and connection trackers for things like ftp and H.323.

SELinux is no different in concept, it just brings the access control paradigm onto a much more detailed internal level instead of just being on the network like a simple packet filter would be.

If you need to special-case stuff, then you need to do an analysis of the special cases you need to create; this is what a testing server running SELinux in permissive mode is for, as there is no better analysis of what SELinux needs than SELinux in permissive mode loggin what your application is using.  Get the logs and run audit2allow and package that as a piece of your applications' SELinux policies.

That is new, but it isn't very hard.  



More information about the CentOS mailing list