[CentOS] selinux: how to allow access?

Tue Mar 20 12:24:38 UTC 2018
John Hodrien <J.H.Hodrien at leeds.ac.uk>

On Tue, 20 Mar 2018, hw wrote:

> That depends.  If the anti-theft system of your car prevents you from driving 
> it, wouldn´t you turn it off so you can drive to work?

How many of us tape the immobiliser transponder to the base of the lock?

> I don´t believe that.  First you need to figure out if it´s a selinux related 
> thing, and to do that, you need to figure out how to figure that out.  Once 
> you figured it out, you need to figure out how to solve it. That usually 
> takes hours or even days.

If you don't learn how to use SELinux, it takes ages to solve anything.  If
you learn it, it takes a short while to get things working, and a little
longer to configure things as you want.  When was security supposed to be zero
cost?  I'm not sure when I last spent an hour solving an SELinux issue, and
I'm not claiming to be highly proficient.

> That looks promising, though it seems to make quite a hype of it.  It even 
> says wrong things, like: Mandatory access control "enables information to be 
> protected from legitimate users with limited authorization as well as from 
> authorized users who have unwittingly executed malicious applications."[1] 
> Perhaps there are implementations of MAC which do that; selinux does not. 
> It´s even a thing I´ve asked about quite a while ago, and there didn´t seem 
> to be a way to achieve it with selinux.

When you confine an unconfined process, is that not what you're doing?

What is it you're trying to do that you believe SELinux can't do?

> So what do you really gain from selinux, and is that worthwhile all the 
> trouble and the hours spent to fix the problems it creates?  What about the 
> impact on performance?

In the general case, you'd struggle to point your finger convincingly at the
SELinux performance hit.  Probably the worst performance hit you're likely to
see is with a badly configured permissive configuration, due to excessive