[CentOS] SELinux and access across 'similar types'

Sat Jan 7 16:15:35 UTC 2012
Bennett Haselton <bennett at peacefire.org>

On 1/7/2012 6:50 AM, Marko Vojinovic wrote:
> On Saturday 07 January 2012 05:39:15 Bennett Haselton wrote:
>> On 1/7/2012 5:25 AM, John R. Dennison wrote:
>>> On Sat, Jan 07, 2012 at 04:43:31AM -0800, Bennett Haselton wrote:
>>>> Virtually every hosting company I've ever bought a CentOS server from
>>>> has had SELinux turned off by default.  (So, a partial list would
>>>> include FDCServers, Superb.net, SiteGenie, SecuredServers (ho, ho),
>>>> AeroVPS (sells dedicated servers despite their name), Netelligent,
>>>> ServerBeach and I don't remember all the others).  Don't hold me to
>>>> that
>>>> list 100% since some might have changed their policies for new servers
>>>> but it's pretty universal.
>>> Then these companies should be universally boycotted as it's pretty
>>> evident that they don't place security at the top of the importance
>>> stack.
>>>
>>> People that don't run selinux deserve _everything_ they get and then
>>> some.
> [snip]
>> Apparently the marketplace favors hosting companies turning SELinux off
>> because the failures it causes are too obscure and it causes too many
>> support headaches.
> Ignorance is bliss... ;-)
>
> A hosting company should certainly have SELinux turned on by default. A
> customer who doesn't know how to handle it should be told to RTFM.
See what I wrote to John about "should-statements"... you can't change 
human nature, but you can make better defaults.
> If they
> don't want to deal with SELinux, they can easily turn it off themselves (at
> their own responsibility).
>
> This is analogous to having a rent-a-car agency renting cars without safety
> belts, because "they are inconvenient for the users and most people don't put
> them on anyway". Being irresponsible cannot be justified with what marketplace
> does or does not favor.
>
>> A non-changing-human-nature solution might be to
>> notify the user directly when SELinux blocks something.  The GUI
>> apparently already does this via a dialog box when viewing a desktop;
>> perhaps there's a way to do it on the command line too.  (When the user
>> runs something that's blocked by SELinux, just send a message to the
>> terminal saying "SELinux blocked this", or something.  Would be a start.)
> Sometimes there is a message on stderr about "permission denied" or such. But
> in general every AVC denial is written in /var/log/audit/audit.log. There are
> also setroubleshootd and sealert, to help you "translate" the AVC denial into
> something more user-friendly, and suggest what to do about it.
>
Yes, once you know that SELinux is the cause, the tools for diagnosing 
what to do are pretty helpful.  But what hosting companies care about -- 
in terms of inconvenience to the user -- is that there's no easy way to 
find out for the first time that SELinux is the cause of something not 
working.

Hence the idea for having SELinux send messages to the terminal saying 
"SELinux blocked such-and-such".  There's probably some better way.