[CentOS] SELinux and access across 'similar types'

Wed Jan 11 22:57:24 UTC 2012
Les Mikesell <lesmikesell at gmail.com>

On Wed, Jan 11, 2012 at 3:30 PM, Lamar Owen <lowen at pari.edu> wrote:
>
>> Yes, the breakage came from having someone who didn't understand the
>> needs define that policy.
>
> 'Going out of its way to break' something means knowing what is needed for something to work, and intentionally preventing it from working.  I'm reminded of DR-DOS years ago....
>
> You can't intentionally break the thing of which you weren't aware; such breakage  is not intentional.

Imposing a policy to deny things is intentional.  And doing it without
knowing the details of the needed exceptions isn't accidental.

>> ... what is the standard way to tell
>> distribution packaging systems and system administrators to permit it?
>
> An SELinux policy set.  Seriously.  Set up variables or whatnot to specify filepaths if you need to.

Is there a namespace delegation or some central coordinator for that?
How do two different policy writers avoid accidentally using the same
terms for different things?

>> > That is new, but it isn't very hard.
>
>> Doesn't that really depend on what the application needs to do?
>
> No, unless the application is doing something dangerous. OpenNMS (for one) does some dangerous (in the security context) things, but the RPM packages I've run 'just worked' from the repository, to the best of my recollection (I did some fairly major network reconfiguration, and need to reinstantiate my OpenNMS instance, and when I do it will be on a different VM running C6, assuming the OpenNMS yum repo is up to date).

But, but... You are running in targeted mode and OpenNMS just isn't
one of the targeted applications.  That doesn't fix anything going
forward.

-- 
   Les Mikesell
     lesmikesell at gmail.com