FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 07-03-2008, 03:33 AM
Andrew Farris
 
Default Request to re-add option to disable SELinux

Jon Masters wrote:

On Wed, 2008-07-02 at 18:29 -0700, Andrew Farris wrote:

Jon Masters wrote:

On Wed, 2008-07-02 at 17:16 -0400, Alan Cox wrote:

SELinux should be disablable is the wrong discussion. The discussion you should
be having is "I've filed a few bugs where SELinux didn't magically do the right
thing, how do we fix them and can we make these less likely to occur in future"

I think the only way to "fix" it for the foreseeable future is to
simplify policy, so that only a very limited set of services are
confined. Then, when the graphical tools and user experience have
eventually caught up, it'll be trivial to switch policy again.

selinux-policy-targeted is precisely that.


Or more precisely, it would like to be that. Abrupt, single line replies
like the above amuse me perhaps more than they should, because they
carry the implication that I didn't actually consider what is currently
implemented in Fedora before sending my original mail

Anyway. I've tried to make my point, I'm done now


I apologize for the brevity then, but having read your previous mails it seemed
quite clear you hadn't looked at what targeted policy is when asking for it. If
there are specific situations, or policy bugs, or services you feel shouldn't be
confined under targeted policy it might make sense... but asking for a limited
set of services when it exists is just about as confounded as you can get. I
meant (and still mean) no offense, but if you want more thoughtful comments it
would help to be more clear about what you have and haven't already learned
about the situation.


--
Andrew Farris <lordmorgul@gmail.com> www.lordmorgul.net
gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB 5BD5 5F89 8E1B 8300 BF29

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-03-2008, 05:36 AM
Dave Airlie
 
Default Request to re-add option to disable SELinux

On Thu, 2008-07-03 at 11:29 +1000, James Morris wrote:
> On Wed, 2 Jul 2008, Alan Cox wrote:
>
> > Knowing what it is isn't sufficient - they must know enough to make a meaningful
> > risk analysis fo the decision. Very few users I suspect are in that position.
>
> This is quite a significant problem, as people tend to underestimate
> negative risk and overestimate positive risk (according to "Prospect
> Theory").
>
> And as the odds increase in each direction, people increasingly mis-judge
> them. e.g. people believe they'll win the lottery but figure they don't
> need a motorcycle helmet.
>
> Bruce Schneier recently discussed the topic:
> http://www.schneier.com/blog/archives/2008/05/how_to_sell_sec.html
>
> The only way to really make progress in improving security is to make it a
> standard part of the computing landscape; for it to be ubiquitous and
> generalized, which is the aim of the SELinux project.
>
> Having a separate "secure" version or option will not work, as proven many
> times over with the trusted Unix variants which are essentially forks of
> their respective mainline products.
>
> Avoiding the whole issue will also not work, as DAC security simply cannot
> provide adequate protection in a globally networked environment. The
> rationale for MAC has been made very clear in an NSA paper, the reading of
> which I think is essential for any informed discussion on the issue:
>
> http://www.nsa.gov/selinux/papers/inevitability/
>
> Punting the decision to the end user during installation is possibly the
> worst option. It's our responsibility as the developers of the OS to both
> get security right and make it usable. It's difficult, indeed, but not
> impossible.

That's all nice and all, but really SELinux on by default has never
worked on a Fedora gold release, there is always some path through some
program that didn't get tested, how about you guys try and come up with
a way to solve those problems in advance or at least give developers
some tools so regressions in SELinux policy can be tracked.

Like we have rpmdiff and that other internal rpm thingy for RHEL,
perhaps SELinux team could construct a similiar tool that says your new
package is going to violate policy where your old package didn't.

Relying on users to mail us the contents of some pop-up dialog box is
ass. Ask Dr. Watson.

Dave.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-03-2008, 06:00 AM
"Jˇhann B. Gu­mundsson"
 
Default Request to re-add option to disable SELinux

Jon Masters wrote:

Hi folks,



<Snip>
.....
</Snip>

Cheers,

Jon.


As I see this there are 2 issues to address/improve...

First get rid of the false positives.

Dan does an exceptional work on fixing selinux reports.

The problem here is not that things don't get FIXED they
don't get reported.

This is something that Fedora-QA and testers community need to
step in and improve as in add to task list do a better jobs of testing and
filing reports against selinux both rawhide and update testers.

wwoods: Ping something to bring up on next meeting.

Second simplify the incident report to the desktop user as in noob it down
It's very good from an technical level but tells the noobster absolutely
nothing
he sees it as gibberish and thinks "where am I supposed to <click> now
to make this go away".


If he's offered an [ Disable ] button he will <click> it.

There is absolutely no need to disable selinux when an exception is
just what is wanted/needed

The report should maybe be something more in this direction...

$application is trying to do something it should not be doing..
This is what it try to do < Summarize of the incident>

[ Allow exception ] [ Show full incident report ].

Just my 2 cents..

Best regards
Johann B.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-03-2008, 08:16 AM
"Daniel P. Berrange"
 
Default Request to re-add option to disable SELinux

On Wed, Jul 02, 2008 at 04:10:24PM -0400, Jon Masters wrote:
> *). A number of activities are not possible today, with SE Linux enabled
> and enforcing on a default F9 installation. I can give examples -
> downloading an ISO image and expecting to use it in virt-manager,
> creating a virtual machine in a non-standard location, etc.

We are aware of those problems and have work in progress to fix them. If
you find problems, file bugs about them. Complaining about things not
working without filing bugs won't get us anywhere.

Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-03-2008, 08:29 AM
Alan Cox
 
Default Request to re-add option to disable SELinux

On Wed, Jul 02, 2008 at 05:20:50PM -0400, Jon Masters wrote:
> I think the only way to "fix" it for the foreseeable future is to
> simplify policy, so that only a very limited set of services are
> confined. Then, when the graphical tools and user experience have
> eventually caught up, it'll be trivial to switch policy again.

How will you know you have "fixed" it if you have the bits in question
turned off - you won't. You have no meaningful way to make progress.

Sorry if I sound fed up of all of this but I spent 9 months fighting people
years back to get firewalling enabled by default, and that had all the same
arguments. Today nobody (even Microsoft) would propose otherwise.

This is the same thing ..

As to Setroubleshoot it would be nicer if it spoke more "end user" ese and
could prompt/fix common mislabelling (eg html files)

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-03-2008, 08:50 AM
"Ahmed Kamal"
 
Default Request to re-add option to disable SELinux

Why don't we have a compromise policy, where interactive users are not restricted except their browsers? System daemons would be restricted of course.
Another suggestion, is when something breaks because of selinux, and I get a balloon about it. However, I am unable to modify selinux policy to "correctly" fix that problem. The suggestion is to allow the user a mechanism to launch the affected program in selinux-free mode ( like launch as administrator from the Vista world!). Basically, selinux builds very tight walls around the system, the end user, needs a hammer to break some of these walls to get his work done. If we don't provide the hammer, he'll end up turnning it off completely!


On Thu, Jul 3, 2008 at 11:29 AM, Alan Cox <alan@redhat.com> wrote:

On Wed, Jul 02, 2008 at 05:20:50PM -0400, Jon Masters wrote:

> I think the only way to "fix" it for the foreseeable future is to

> simplify policy, so that only a very limited set of services are

> confined. Then, when the graphical tools and user experience have

> eventually caught up, it'll be trivial to switch policy again.



How will you know you have "fixed" it if you have the bits in question

turned off - you won't. You have no meaningful way to make progress.



Sorry if I sound fed up of all of this but I spent 9 months fighting people

years back to get firewalling enabled by default, and that had all the same

arguments. Today nobody (even Microsoft) would propose otherwise.



This is the same thing ..



As to Setroubleshoot it would be nicer if it spoke more "end user" ese and

could prompt/fix common mislabelling (eg html files)



--

fedora-devel-list mailing list

fedora-devel-list@redhat.com

https://www.redhat.com/mailman/listinfo/fedora-devel-list



--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-03-2008, 01:16 PM
Bruno Wolff III
 
Default Request to re-add option to disable SELinux

On Thu, Jul 03, 2008 at 11:50:59 +0300,
Ahmed Kamal <email.ahmedkamal@googlemail.com> wrote:
> Another suggestion, is when something breaks because of selinux, and I get a
> balloon about it. However, I am unable to modify selinux policy to
> "correctly" fix that problem. The suggestion is to allow the user a

audit2allow can be used to let the program run. As far as "correctly" fixing
things, that isn't going to be automated. In a lot of cases its the program
that is broken, not the policy. Someone needs to look at what is happening
and figure out what the real problem is.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-03-2008, 01:34 PM
James Morris
 
Default Request to re-add option to disable SELinux

On Thu, 3 Jul 2008, Alan Cox wrote:

> As to Setroubleshoot it would be nicer if it spoke more "end user" ese and
> could prompt/fix common mislabelling (eg html files)

The good thing about setroubleshoot is that it has a plugin architecture,
so people can write better/more plugins. What's lacking are obvious
documents explaining how to do it, alas.


- James
--
James Morris
<jmorris@namei.org>

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-03-2008, 01:53 PM
James Morris
 
Default Request to re-add option to disable SELinux

On Thu, 3 Jul 2008, Dave Airlie wrote:

> That's all nice and all, but really SELinux on by default has never
> worked on a Fedora gold release, there is always some path through some
> program that didn't get tested, how about you guys try and come up with
> a way to solve those problems in advance or at least give developers
> some tools so regressions in SELinux policy can be tracked.
>
> Like we have rpmdiff and that other internal rpm thingy for RHEL,
> perhaps SELinux team could construct a similiar tool that says your new
> package is going to violate policy where your old package didn't.

I'm not sure that's feasible -- if it were that simple, the policy would
write itself. Possibly something can be done, but it won't make up for
lack of testing. I know of several major packages which cannot possibly
have been tested with SELinux before being shipped.

Even if all people do is enable SELinux for ten minutes at some stage
prior to release, and file the audit logs into a bz, that would probably
fix most of these issues.

Perhaps we should be thinking in terms of establishing the practice of
developers doing all development with SELinux enabled and in enforcing
mode, providing tools to support that. e.g. implement a wrapper for
automated policy module generation for devel use only, and the developer
submits the generated module to the SELinux team at some point, like
during an alpha release, and an "official" policy module is developed from
that and committed to rawhide. i.e. incorporate SELinux policy
development into the overall development process with the package
developers involved from the start and getting assistance from the
SELinux folk.


- James
--
James Morris
<jmorris@namei.org>

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-03-2008, 03:42 PM
Mike Chambers
 
Default Request to re-add option to disable SELinux

On Thu, 2008-07-03 at 04:29 -0400, Alan Cox wrote:

> Sorry if I sound fed up of all of this but I spent 9 months fighting people
> years back to get firewalling enabled by default, and that had all the same
> arguments. Today nobody (even Microsoft) would propose otherwise.
>
> This is the same thing ..
>
> As to Setroubleshoot it would be nicer if it spoke more "end user" ese and
> could prompt/fix common mislabelling (eg html files)

I agree with Alan here, that if selinux is indeed a great program to
help secure the OS and anything else, it at least needs to be a LOT more
user friendly.

Ok, don't give me this MS to linux compare bit on what I am comparing
next, it's the comparing of wording and concept it's done in, not
details and stuff LOL. Anyway, Vista came out with that (I forget the
damn program name) program that when certain programs/files run, you get
a dialog box that you have to continue (to allow it to run) or cancel.
Now, no this isn't exactly the same, but it is in a way. They both
provide a little better security than with out it. BUT, in Vista, the
user doesn't have to relabel something, or go to the CLI, or whatever.
They get a little question stating this program wants to run, do you
give it permission. That's it, nothing else (might not like that dialog
all the time though, I am sure). And that is what I am trying to say
for selinux, that it needs to allow things to do what they need, and if
not, a simple little question or whatever to allow it. The user should
NOT have to go to the CLI for anything. They shouldn't have to do this
command or that command, JUST HIT YES OR NO!!

Well anyway, not ranting or raving. Just trying to maybe help clarify
what Jon was talking about, and what Alan was saying. SELinux I am sure
is a wonderful thing, and just needs to be I guess, dumbed down or
whatever so the user clearly understands what it is doing or not doing
and to present the user with simple to do questions/answers/buttons or
whatever to push/answer.

--
Mike Chambers
Fedora Project - Ambassador, Bug Zapper, Tester, User, etc..
mikec302@fedoraproject.org

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 11:54 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ę2007 - 2008, www.linux-archive.org