[CentOS] SELinux and access across 'similar types'

Wed Jan 11 19:49:29 UTC 2012
Les Mikesell <lesmikesell at gmail.com>

On Wed, Jan 11, 2012 at 1:23 PM, Lamar Owen <lowen at pari.edu> wrote:
> On Wednesday, January 11, 2012 01:22:05 PM Les Mikesell wrote:
>> I don't think of myself as a 'normal user', but I still don't
>> appreciate it when a distribution goes out of its way to arbitrarily
>> modify and break what application developers spent years designing and
>> writing.
>
> SELinux does not 'go out of its way' to 'break' anything; rather, SELinux enforces a deny by default 'need to access' policy.

Yes, the breakage came from having someone who didn't understand the
needs define that policy.

> If you need to special-case stuff, then you need to do an analysis of the special cases you need to create; this is what a testing server running SELinux in permissive mode is for, as there is no better analysis of what SELinux needs than SELinux in permissive mode loggin what your application is using.  Get the logs and run audit2allow and package that as a piece of your applications' SELinux policies.

So if an application only needs to do something once at some future
time, what happens?  If you write an application that will need to do
something at some rare future time, what is the standard way to tell
distribution packaging systems and system administrators to permit it?

> That is new, but it isn't very hard.

Doesn't that really depend on what the application needs to do?

-- 
   Les Mikesell
     lesmikesell at gmail.com