Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora User (http://www.linux-archive.org/fedora-user/)
-   -   SELinux on Fedora 17 - troubles, troubles, troubles, ... (http://www.linux-archive.org/fedora-user/685202-selinux-fedora-17-troubles-troubles-troubles.html)

Bruno Wolff III 07-19-2012 12:53 PM

SELinux on Fedora 17 - troubles, troubles, troubles, ...
 
On Thu, Jul 19, 2012 at 12:11:12 +0200,
Mateusz Marzantowicz <mmarzantowicz@osdf.com.pl> wrote:


I also do understand that reporting a bug for each problem with selinux
I encounter in my system isn't going anywhere too. I'd also like to use
this valuable security mechanism.


In my experience the selinux people in Fedora are very responsive to bugs.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Gilboa Davara 07-19-2012 01:23 PM

SELinux on Fedora 17 - troubles, troubles, troubles, ...
 
On Thu, Jul 19, 2012 at 1:11 PM, Mateusz Marzantowicz
<mmarzantowicz@osdf.com.pl> wrote:
> > You do understand that ranting (as opposed to reporting bugs / sending
> > fixes / etc) will get you nowhere, right?
> >
> > - Gilboa
>
> I also do understand that reporting a bug for each problem with selinux
> I encounter in my system isn't going anywhere too. I'd also like to use
> this valuable security mechanism.
>
> My original intention was to ask people on the list how do they deal
> with selinux policy mess in their systems which is obvious, they have in
> their configs after using Fedora for more than a month. Maybe it's about
> finding "the path" or just right management tools which I'm missing.
>
> Currently my knowledge of selinux isn't that big as yours so I couldn't
> simply differentiate between my fault and selinux policy bug. I also
> think that users shouldn't be forced to know that kind of things.

A couple of things.
1. In my experience SELinux maintainers are *VERY* responsive. Most
(if not all) of the SELinux policy bugs that I opened were fixed
within days if not hours.
2. IMO, Given the given the complexity of SELinux and given the huge
amount of different use cases, SELinux will never simply work out of
the box for every single Joe-six-pack with its own unique use case.
(E.g. sharing home via SMB)
Sure, a graphical semanage could do wonders to help regular users, but
in the end, creating a tool that will simply train users to bypass
SELinux errors by clicking next->next->next will simply make it as
redundant (security wise) as Windows' UAC.

In short, if you want the extra protection SELinux is offering, you'll
have to learn to use it, fix it and report informational bugs about
it. No way around it.

- Gilboa
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Daniel J Walsh 07-19-2012 01:41 PM

SELinux on Fedora 17 - troubles, troubles, troubles, ...
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/19/2012 05:24 AM, Mateusz Marzantowicz wrote:
> Why is using of SELinux on Fedora (I don't have experience with other
> distros) so painful from a regular user perspective?
>
> I'm talking about situation in which after installing stock packages and
> "just running" applications I'm spending more time with SELInux Alert
> Browser than any other system management utility.
>
> You'd probably say that it's my fault, that I messed up with selinux
> settings (yes, I confess, I've enabled samba sharing on some of my
> directories under home but I've done this based on official Wiki) but
> actually I only followed instructions from alert browser. I've applied
> custom policies for one or two files that I then removed after one or two
> hours.
>
> I think that right now my system is as secure as with selinux disabled
> because of all that modification that I've made. I'm not an idiot but I
> really can't track all security policies that are active in my desktop
> system used for daily work.
>
> Do I really need to became security expert specialized in SELInux to use my
> system? I started reading about selinux design and configuration but I
> think it's a waste of time. My current selinux problem is caused by
> systemd-tmpfiles trying to cleanup my /tmp dir where I copied some files
> from home directory to play with and ... left them for automatic cleanup.
> Solution is obvious - remove files form /tmp manually but then autoremover
> mechanism provided by Fedora is redundant.
>
> Is there a chance that someday users will use selinux without even noticing
> it's installed?
>
>
> Mateusz Marzantowicz
>


Well you are complaining about two different problems, lets address them
separately. Setting up samba with SELinux can be daunting, since SELinux does
not just allow samba servers to share all content on the system out of the
box. You have to tell SELinux what you want to change.

Did you look at the man samba_selinux? We now have over 400 man pages to
explain how SELinux interacts with different applications on a RHEL box.

You also might want to read

http://danwalsh.livejournal.com/30837.html

which might help you understand SELinux a little better.

As far as the /tmp problem with systemd-tmpfiles, this is a bug in the policy
that we are investigating. Basically what is happening is we removed
something that caused a random leftover content in /tmp to become invalid and
the systemd-tmpfiles is not allowed to look at the content or delete it. It
is probably just best if you delete the content and then SELinux will stop
complaining about it.

ls -lZ /tmp/pulse-* -d
drwx------. gdm gdm system_u:object_r:xdm_tmp_t:s0 /tmp/pulse-51xb22O5vXMk
drwx------. dwalsh dwalsh staff_u:object_r:user_tmp_t:s0 /tmp/pulse-cvPtFlQSQRNj


If one is unlabeled_t, then delete it.

If you have any problems with SELinux please open a bugzilla or come to
#selinux on freenode, there are people there to help you.




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAIDp4ACgkQrlYvE4MpobOHTQCdEhxJ1uNYpF qJszMyZaZ+zb5C
8yIAoK5eMAjqUhYw+c4Lkater3MPiL9x
=FeDk
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Thomas Cameron 07-19-2012 02:33 PM

SELinux on Fedora 17 - troubles, troubles, troubles, ...
 
On 07/19/2012 04:24 AM, Mateusz Marzantowicz wrote:

Why is using of SELinux on Fedora (I don't have experience with other
distros) so painful from a regular user perspective?

I'm talking about situation in which after installing stock packages and
"just running" applications I'm spending more time with SELInux Alert
Browser than any other system management utility.

You'd probably say that it's my fault, that I messed up with selinux
settings (yes, I confess, I've enabled samba sharing on some of my
directories under home but I've done this based on official Wiki) but
actually I only followed instructions from alert browser. I've applied
custom policies for one or two files that I then removed after one or
two hours.

I think that right now my system is as secure as with selinux disabled
because of all that modification that I've made. I'm not an idiot but I
really can't track all security policies that are active in my desktop
system used for daily work.

Do I really need to became security expert specialized in SELInux to use
my system? I started reading about selinux design and configuration but
I think it's a waste of time. My current selinux problem is caused by
systemd-tmpfiles trying to cleanup my /tmp dir where I copied some files
from home directory to play with and ... left them for automatic
cleanup. Solution is obvious - remove files form /tmp manually but then
autoremover mechanism provided by Fedora is redundant.

Is there a chance that someday users will use selinux without even
noticing it's installed?


Mateusz Marzantowicz



Howdy -

Take a look at http://www.youtube.com/watch?v=e_dzkYlXggM and
http://people.redhat.com/tcameron - there's a presentation there called
"SELinux for Mere Mortals"


Hopefully it helps with your SELinux questions.
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

David Quigley 07-19-2012 08:04 PM

SELinux on Fedora 17 - troubles, troubles, troubles, ...
 
There was a write up on sharing home directories with samba that
someone had posted on google+.


http://rogue-technology.com/blog/?p=1601
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Mateusz Marzantowicz 07-20-2012 07:19 AM

SELinux on Fedora 17 - troubles, troubles, troubles, ...
 
On 19.07.2012 15:41, Daniel J Walsh wrote:
> On 07/19/2012 05:24 AM, Mateusz Marzantowicz wrote:
> > Why is using of SELinux on Fedora (I don't have experience with other
> > distros) so painful from a regular user perspective?
>
> > I'm talking about situation in which after installing stock packages
> and
> > "just running" applications I'm spending more time with SELInux Alert
> > Browser than any other system management utility.
>
> > You'd probably say that it's my fault, that I messed up with selinux
> > settings (yes, I confess, I've enabled samba sharing on some of my
> > directories under home but I've done this based on official Wiki) but
> > actually I only followed instructions from alert browser. I've applied
> > custom policies for one or two files that I then removed after one
> or two
> > hours.
>
> > I think that right now my system is as secure as with selinux disabled
> > because of all that modification that I've made. I'm not an idiot but I
> > really can't track all security policies that are active in my desktop
> > system used for daily work.
>
> > Do I really need to became security expert specialized in SELInux to
> use my
> > system? I started reading about selinux design and configuration but I
> > think it's a waste of time. My current selinux problem is caused by
> > systemd-tmpfiles trying to cleanup my /tmp dir where I copied some
> files
> > from home directory to play with and ... left them for automatic
> cleanup.
> > Solution is obvious - remove files form /tmp manually but then
> autoremover
> > mechanism provided by Fedora is redundant.
>
> > Is there a chance that someday users will use selinux without even
> noticing
> > it's installed?
>
>
> > Mateusz Marzantowicz
>
>
>
> Well you are complaining about two different problems, lets address them
> separately. Setting up samba with SELinux can be daunting, since
> SELinux does
> not just allow samba servers to share all content on the system out of the
> box. You have to tell SELinux what you want to change.
>
> Did you look at the man samba_selinux? We now have over 400 man pages to
> explain how SELinux interacts with different applications on a RHEL box.
>
> You also might want to read
>
> http://danwalsh.livejournal.com/30837.html
>
> which might help you understand SELinux a little better.
>
> As far as the /tmp problem with systemd-tmpfiles, this is a bug in the
> policy
> that we are investigating. Basically what is happening is we removed
> something that caused a random leftover content in /tmp to become
> invalid and
> the systemd-tmpfiles is not allowed to look at the content or delete
> it. It
> is probably just best if you delete the content and then SELinux will stop
> complaining about it.
>
> ls -lZ /tmp/pulse-* -d
> drwx------. gdm gdm system_u:object_r:xdm_tmp_t:s0
> /tmp/pulse-51xb22O5vXMk
> drwx------. dwalsh dwalsh staff_u:object_r:user_tmp_t:s0
> /tmp/pulse-cvPtFlQSQRNj
>
>
> If one is unlabeled_t, then delete it.
>
> If you have any problems with SELinux please open a bugzilla or come to
> #selinux on freenode, there are people there to help you.
>
>
>
>

Thank you all for your answers and provided help on this subject.

I was able to successfully setup samba sharing using information from
Fedora Wiki, all is very clear and accurate there (at last for my case).
Sadly after some time I've been informed that some other policy problems
existed related to my setup but I resolved them quickly with alert
browser. Thanks anyway for more hints.

I have one more question: is there a method to reset selinux attributes
on file system objects to factory defaults, meaning the state after
fresh installation?


Mateusz Marzantowicz
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Zdenek Pytela 07-20-2012 12:32 PM

SELinux on Fedora 17 - troubles, troubles, troubles, ...
 
Mateusz Marzantowicz (mmarzantowicz@osdf.com.pl) writes:
> I have one more question: is there a method to reset selinux attributes
> on file system objects to factory defaults, meaning the state after
> fresh installation?
restorecon(8)
restorecon filename
restorecon -R /path

--

--Zdenek Pytela, <pytela@phil.muni.cz>

--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Daniel J Walsh 07-20-2012 08:24 PM

SELinux on Fedora 17 - troubles, troubles, troubles, ...
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/20/2012 03:19 AM, Mateusz Marzantowicz wrote:
> On 19.07.2012 15:41, Daniel J Walsh wrote:
>> On 07/19/2012 05:24 AM, Mateusz Marzantowicz wrote:
>>> Why is using of SELinux on Fedora (I don't have experience with other
>>> distros) so painful from a regular user perspective?
>>
>>> I'm talking about situation in which after installing stock packages
>> and
>>> "just running" applications I'm spending more time with SELInux Alert
>>> Browser than any other system management utility.
>>
>>> You'd probably say that it's my fault, that I messed up with selinux
>>> settings (yes, I confess, I've enabled samba sharing on some of my
>>> directories under home but I've done this based on official Wiki) but
>>> actually I only followed instructions from alert browser. I've applied
>>> custom policies for one or two files that I then removed after one
>> or two
>>> hours.
>>
>>> I think that right now my system is as secure as with selinux disabled
>>> because of all that modification that I've made. I'm not an idiot but
>>> I really can't track all security policies that are active in my
>>> desktop system used for daily work.
>>
>>> Do I really need to became security expert specialized in SELInux to
>> use my
>>> system? I started reading about selinux design and configuration but I
>>> think it's a waste of time. My current selinux problem is caused by
>>> systemd-tmpfiles trying to cleanup my /tmp dir where I copied some
>> files
>>> from home directory to play with and ... left them for automatic
>> cleanup.
>>> Solution is obvious - remove files form /tmp manually but then
>> autoremover
>>> mechanism provided by Fedora is redundant.
>>
>>> Is there a chance that someday users will use selinux without even
>> noticing
>>> it's installed?
>>
>>
>>> Mateusz Marzantowicz
>>
>>
>>
>> Well you are complaining about two different problems, lets address them
>> separately. Setting up samba with SELinux can be daunting, since SELinux
>> does not just allow samba servers to share all content on the system out
>> of the box. You have to tell SELinux what you want to change.
>>
>> Did you look at the man samba_selinux? We now have over 400 man pages
>> to explain how SELinux interacts with different applications on a RHEL
>> box.
>>
>> You also might want to read
>>
>> http://danwalsh.livejournal.com/30837.html
>>
>> which might help you understand SELinux a little better.
>>
>> As far as the /tmp problem with systemd-tmpfiles, this is a bug in the
>> policy that we are investigating. Basically what is happening is we
>> removed something that caused a random leftover content in /tmp to
>> become invalid and the systemd-tmpfiles is not allowed to look at the
>> content or delete it. It is probably just best if you delete the content
>> and then SELinux will stop complaining about it.
>>
>> ls -lZ /tmp/pulse-* -d drwx------. gdm gdm
>> system_u:object_r:xdm_tmp_t:s0 /tmp/pulse-51xb22O5vXMk drwx------. dwalsh
>> dwalsh staff_u:object_r:user_tmp_t:s0 /tmp/pulse-cvPtFlQSQRNj
>>
>>
>> If one is unlabeled_t, then delete it.
>>
>> If you have any problems with SELinux please open a bugzilla or come to
>> #selinux on freenode, there are people there to help you.
>>
>>
>>
>>
>
> Thank you all for your answers and provided help on this subject.
>
> I was able to successfully setup samba sharing using information from
> Fedora Wiki, all is very clear and accurate there (at last for my case).
> Sadly after some time I've been informed that some other policy problems
> existed related to my setup but I resolved them quickly with alert browser.
> Thanks anyway for more hints.
>
> I have one more question: is there a method to reset selinux attributes on
> file system objects to factory defaults, meaning the state after fresh
> installation?
>
>
> Mateusz Marzantowicz
>
If you just used chcon, the restorecon will set them back to the defaults. If
you used semanage to change the labels in the labeling database, you would
have to remove the records.

semanage fcontext -l -C

Would list any file context label changes.



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAJvocACgkQrlYvE4MpobPJQQCglUhNKwQ0ck YOfHt9Ggp2qoyi
P9kAn3XCUBYffBstGnFT4+0tAaw2YT/A
=R1VC
-----END PGP SIGNATURE-----
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org


All times are GMT. The time now is 02:06 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.