[CentOS] SELinux and access across 'similar types'

Lamar Owen lowen at pari.edu
Wed Jan 11 21:30:53 UTC 2012


On Wednesday, January 11, 2012 02:49:29 PM Les Mikesell wrote:
> On Wed, Jan 11, 2012 at 1:23 PM, Lamar Owen <lowen at pari.edu> wrote:
> > SELinux does not 'go out of its way' to 'break' anything; rather, SELinux enforces a deny by default 'need to access' policy.

> Yes, the breakage came from having someone who didn't understand the
> needs define that policy.

'Going out of its way to break' something means knowing what is needed for something to work, and intentionally preventing it from working.  I'm reminded of DR-DOS years ago....

You can't intentionally break the thing of which you weren't aware; such breakage  is not intentional.

> ... what is the standard way to tell
> distribution packaging systems and system administrators to permit it?

An SELinux policy set.  Seriously.  Set up variables or whatnot to specify filepaths if you need to.

> > That is new, but it isn't very hard.

> Doesn't that really depend on what the application needs to do?

No, unless the application is doing something dangerous. OpenNMS (for one) does some dangerous (in the security context) things, but the RPM packages I've run 'just worked' from the repository, to the best of my recollection (I did some fairly major network reconfiguration, and need to reinstantiate my OpenNMS instance, and when I do it will be on a different VM running C6, assuming the OpenNMS yum repo is up to date).

If the application needs to do wierd things, then the application developer (or some member of the development team, or a user of that package, or the packager (if there is one)) needs to write the SELinux policy and bundle it for those who need it.  Simple as that; CentOS and other rebuilds of upstream EL are common enough that SELinux is out there pervasively, so there's really no excuse.

Telling people 'turn SELinux off' shouldn't cut it any more.



More information about the CentOS mailing list