[CentOS] SELinux and access across 'similar types'

Les Mikesell lesmikesell at gmail.com
Thu Jan 12 06:58:56 UTC 2012


On Wed, Jan 11, 2012 at 5:25 PM, Stephen Harris <lists at spuddy.org> wrote:
>
>> Yes, the breakage came from having someone who didn't understand the
>> needs define that policy.
>
> I think part of the problem is that Linux+SELinux is a _different platform_
> to Linux without SELinux.

If you look at it as _one_ new platform it's not such a big problem.
But I don't think you can target Linux+SELinux in the general sense.

> On any Unix or Linux system I can install apache, configure it so that
> DocumentRoot is /mywebtree/htdocs, CGIs are in /mywebtree/cgi.  The CGI
> can write to /myapp/tmpdir and so on.  And it will work the same way
> on all of those platforms.

It works across platforms because the application developer has a
standard way to deal with standard permissions.

>  On Linux+SELinux, however, you need to do
> additional work.  The platform needs to be configured to allow this
> to work.
>
> Developers need to target Linux+SELinux as if it was a new platform to
> be supported.

How do you avoid this really being multiplied by the number of Linux
distributions if there is not a standard way for the application  to
include its own policy?

> But what about the gazillion of apps that don't support that platform?
> Either you disable SELinux or you have a large support overhead
> (initial onboarding of app, verification that updates to app still work,
> verification that OS updates don't break app, etc etc).

That's why everything uses targeted mode.  You only constrain the apps
where you have a reasonable chance of getting it right.  But with
apache being the swiss army knife of services it is both the obvious
thing to target and the most likely thing to get wrong.

-- 
  Les Mikesell
      lesmikesell at gmail.com



More information about the CentOS mailing list