SELinux on Fedora 17 - troubles, troubles, troubles, ...
On Thu, Jul 19, 2012 at 12:11:12 +0200,
Mateusz Marzantowicz <mmarzantowicz@osdf.com.pl> wrote: I also do understand that reporting a bug for each problem with selinux I encounter in my system isn't going anywhere too. I'd also like to use this valuable security mechanism. In my experience the selinux people in Fedora are very responsive to bugs. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
SELinux on Fedora 17 - troubles, troubles, troubles, ...
On Thu, Jul 19, 2012 at 1:11 PM, Mateusz Marzantowicz
<mmarzantowicz@osdf.com.pl> wrote: > > You do understand that ranting (as opposed to reporting bugs / sending > > fixes / etc) will get you nowhere, right? > > > > - Gilboa > > I also do understand that reporting a bug for each problem with selinux > I encounter in my system isn't going anywhere too. I'd also like to use > this valuable security mechanism. > > My original intention was to ask people on the list how do they deal > with selinux policy mess in their systems which is obvious, they have in > their configs after using Fedora for more than a month. Maybe it's about > finding "the path" or just right management tools which I'm missing. > > Currently my knowledge of selinux isn't that big as yours so I couldn't > simply differentiate between my fault and selinux policy bug. I also > think that users shouldn't be forced to know that kind of things. A couple of things. 1. In my experience SELinux maintainers are *VERY* responsive. Most (if not all) of the SELinux policy bugs that I opened were fixed within days if not hours. 2. IMO, Given the given the complexity of SELinux and given the huge amount of different use cases, SELinux will never simply work out of the box for every single Joe-six-pack with its own unique use case. (E.g. sharing home via SMB) Sure, a graphical semanage could do wonders to help regular users, but in the end, creating a tool that will simply train users to bypass SELinux errors by clicking next->next->next will simply make it as redundant (security wise) as Windows' UAC. In short, if you want the extra protection SELinux is offering, you'll have to learn to use it, fix it and report informational bugs about it. No way around it. - Gilboa -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
SELinux on Fedora 17 - troubles, troubles, troubles, ...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 07/19/2012 05:24 AM, Mateusz Marzantowicz wrote: > Why is using of SELinux on Fedora (I don't have experience with other > distros) so painful from a regular user perspective? > > I'm talking about situation in which after installing stock packages and > "just running" applications I'm spending more time with SELInux Alert > Browser than any other system management utility. > > You'd probably say that it's my fault, that I messed up with selinux > settings (yes, I confess, I've enabled samba sharing on some of my > directories under home but I've done this based on official Wiki) but > actually I only followed instructions from alert browser. I've applied > custom policies for one or two files that I then removed after one or two > hours. > > I think that right now my system is as secure as with selinux disabled > because of all that modification that I've made. I'm not an idiot but I > really can't track all security policies that are active in my desktop > system used for daily work. > > Do I really need to became security expert specialized in SELInux to use my > system? I started reading about selinux design and configuration but I > think it's a waste of time. My current selinux problem is caused by > systemd-tmpfiles trying to cleanup my /tmp dir where I copied some files > from home directory to play with and ... left them for automatic cleanup. > Solution is obvious - remove files form /tmp manually but then autoremover > mechanism provided by Fedora is redundant. > > Is there a chance that someday users will use selinux without even noticing > it's installed? > > > Mateusz Marzantowicz > Well you are complaining about two different problems, lets address them separately. Setting up samba with SELinux can be daunting, since SELinux does not just allow samba servers to share all content on the system out of the box. You have to tell SELinux what you want to change. Did you look at the man samba_selinux? We now have over 400 man pages to explain how SELinux interacts with different applications on a RHEL box. You also might want to read http://danwalsh.livejournal.com/30837.html which might help you understand SELinux a little better. As far as the /tmp problem with systemd-tmpfiles, this is a bug in the policy that we are investigating. Basically what is happening is we removed something that caused a random leftover content in /tmp to become invalid and the systemd-tmpfiles is not allowed to look at the content or delete it. It is probably just best if you delete the content and then SELinux will stop complaining about it. ls -lZ /tmp/pulse-* -d drwx------. gdm gdm system_u:object_r:xdm_tmp_t:s0 /tmp/pulse-51xb22O5vXMk drwx------. dwalsh dwalsh staff_u:object_r:user_tmp_t:s0 /tmp/pulse-cvPtFlQSQRNj If one is unlabeled_t, then delete it. If you have any problems with SELinux please open a bugzilla or come to #selinux on freenode, there are people there to help you. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAIDp4ACgkQrlYvE4MpobOHTQCdEhxJ1uNYpF qJszMyZaZ+zb5C 8yIAoK5eMAjqUhYw+c4Lkater3MPiL9x =FeDk -----END PGP SIGNATURE----- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
SELinux on Fedora 17 - troubles, troubles, troubles, ...
On 07/19/2012 04:24 AM, Mateusz Marzantowicz wrote:
Why is using of SELinux on Fedora (I don't have experience with other distros) so painful from a regular user perspective? I'm talking about situation in which after installing stock packages and "just running" applications I'm spending more time with SELInux Alert Browser than any other system management utility. You'd probably say that it's my fault, that I messed up with selinux settings (yes, I confess, I've enabled samba sharing on some of my directories under home but I've done this based on official Wiki) but actually I only followed instructions from alert browser. I've applied custom policies for one or two files that I then removed after one or two hours. I think that right now my system is as secure as with selinux disabled because of all that modification that I've made. I'm not an idiot but I really can't track all security policies that are active in my desktop system used for daily work. Do I really need to became security expert specialized in SELInux to use my system? I started reading about selinux design and configuration but I think it's a waste of time. My current selinux problem is caused by systemd-tmpfiles trying to cleanup my /tmp dir where I copied some files from home directory to play with and ... left them for automatic cleanup. Solution is obvious - remove files form /tmp manually but then autoremover mechanism provided by Fedora is redundant. Is there a chance that someday users will use selinux without even noticing it's installed? Mateusz Marzantowicz Howdy - Take a look at http://www.youtube.com/watch?v=e_dzkYlXggM and http://people.redhat.com/tcameron - there's a presentation there called "SELinux for Mere Mortals" Hopefully it helps with your SELinux questions. -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
SELinux on Fedora 17 - troubles, troubles, troubles, ...
There was a write up on sharing home directories with samba that
someone had posted on google+. http://rogue-technology.com/blog/?p=1601 -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
SELinux on Fedora 17 - troubles, troubles, troubles, ...
On 19.07.2012 15:41, Daniel J Walsh wrote:
> On 07/19/2012 05:24 AM, Mateusz Marzantowicz wrote: > > Why is using of SELinux on Fedora (I don't have experience with other > > distros) so painful from a regular user perspective? > > > I'm talking about situation in which after installing stock packages > and > > "just running" applications I'm spending more time with SELInux Alert > > Browser than any other system management utility. > > > You'd probably say that it's my fault, that I messed up with selinux > > settings (yes, I confess, I've enabled samba sharing on some of my > > directories under home but I've done this based on official Wiki) but > > actually I only followed instructions from alert browser. I've applied > > custom policies for one or two files that I then removed after one > or two > > hours. > > > I think that right now my system is as secure as with selinux disabled > > because of all that modification that I've made. I'm not an idiot but I > > really can't track all security policies that are active in my desktop > > system used for daily work. > > > Do I really need to became security expert specialized in SELInux to > use my > > system? I started reading about selinux design and configuration but I > > think it's a waste of time. My current selinux problem is caused by > > systemd-tmpfiles trying to cleanup my /tmp dir where I copied some > files > > from home directory to play with and ... left them for automatic > cleanup. > > Solution is obvious - remove files form /tmp manually but then > autoremover > > mechanism provided by Fedora is redundant. > > > Is there a chance that someday users will use selinux without even > noticing > > it's installed? > > > > Mateusz Marzantowicz > > > > Well you are complaining about two different problems, lets address them > separately. Setting up samba with SELinux can be daunting, since > SELinux does > not just allow samba servers to share all content on the system out of the > box. You have to tell SELinux what you want to change. > > Did you look at the man samba_selinux? We now have over 400 man pages to > explain how SELinux interacts with different applications on a RHEL box. > > You also might want to read > > http://danwalsh.livejournal.com/30837.html > > which might help you understand SELinux a little better. > > As far as the /tmp problem with systemd-tmpfiles, this is a bug in the > policy > that we are investigating. Basically what is happening is we removed > something that caused a random leftover content in /tmp to become > invalid and > the systemd-tmpfiles is not allowed to look at the content or delete > it. It > is probably just best if you delete the content and then SELinux will stop > complaining about it. > > ls -lZ /tmp/pulse-* -d > drwx------. gdm gdm system_u:object_r:xdm_tmp_t:s0 > /tmp/pulse-51xb22O5vXMk > drwx------. dwalsh dwalsh staff_u:object_r:user_tmp_t:s0 > /tmp/pulse-cvPtFlQSQRNj > > > If one is unlabeled_t, then delete it. > > If you have any problems with SELinux please open a bugzilla or come to > #selinux on freenode, there are people there to help you. > > > > Thank you all for your answers and provided help on this subject. I was able to successfully setup samba sharing using information from Fedora Wiki, all is very clear and accurate there (at last for my case). Sadly after some time I've been informed that some other policy problems existed related to my setup but I resolved them quickly with alert browser. Thanks anyway for more hints. I have one more question: is there a method to reset selinux attributes on file system objects to factory defaults, meaning the state after fresh installation? Mateusz Marzantowicz -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
SELinux on Fedora 17 - troubles, troubles, troubles, ...
Mateusz Marzantowicz (mmarzantowicz@osdf.com.pl) writes:
> I have one more question: is there a method to reset selinux attributes > on file system objects to factory defaults, meaning the state after > fresh installation? restorecon(8) restorecon filename restorecon -R /path -- --Zdenek Pytela, <pytela@phil.muni.cz> -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
SELinux on Fedora 17 - troubles, troubles, troubles, ...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 07/20/2012 03:19 AM, Mateusz Marzantowicz wrote: > On 19.07.2012 15:41, Daniel J Walsh wrote: >> On 07/19/2012 05:24 AM, Mateusz Marzantowicz wrote: >>> Why is using of SELinux on Fedora (I don't have experience with other >>> distros) so painful from a regular user perspective? >> >>> I'm talking about situation in which after installing stock packages >> and >>> "just running" applications I'm spending more time with SELInux Alert >>> Browser than any other system management utility. >> >>> You'd probably say that it's my fault, that I messed up with selinux >>> settings (yes, I confess, I've enabled samba sharing on some of my >>> directories under home but I've done this based on official Wiki) but >>> actually I only followed instructions from alert browser. I've applied >>> custom policies for one or two files that I then removed after one >> or two >>> hours. >> >>> I think that right now my system is as secure as with selinux disabled >>> because of all that modification that I've made. I'm not an idiot but >>> I really can't track all security policies that are active in my >>> desktop system used for daily work. >> >>> Do I really need to became security expert specialized in SELInux to >> use my >>> system? I started reading about selinux design and configuration but I >>> think it's a waste of time. My current selinux problem is caused by >>> systemd-tmpfiles trying to cleanup my /tmp dir where I copied some >> files >>> from home directory to play with and ... left them for automatic >> cleanup. >>> Solution is obvious - remove files form /tmp manually but then >> autoremover >>> mechanism provided by Fedora is redundant. >> >>> Is there a chance that someday users will use selinux without even >> noticing >>> it's installed? >> >> >>> Mateusz Marzantowicz >> >> >> >> Well you are complaining about two different problems, lets address them >> separately. Setting up samba with SELinux can be daunting, since SELinux >> does not just allow samba servers to share all content on the system out >> of the box. You have to tell SELinux what you want to change. >> >> Did you look at the man samba_selinux? We now have over 400 man pages >> to explain how SELinux interacts with different applications on a RHEL >> box. >> >> You also might want to read >> >> http://danwalsh.livejournal.com/30837.html >> >> which might help you understand SELinux a little better. >> >> As far as the /tmp problem with systemd-tmpfiles, this is a bug in the >> policy that we are investigating. Basically what is happening is we >> removed something that caused a random leftover content in /tmp to >> become invalid and the systemd-tmpfiles is not allowed to look at the >> content or delete it. It is probably just best if you delete the content >> and then SELinux will stop complaining about it. >> >> ls -lZ /tmp/pulse-* -d drwx------. gdm gdm >> system_u:object_r:xdm_tmp_t:s0 /tmp/pulse-51xb22O5vXMk drwx------. dwalsh >> dwalsh staff_u:object_r:user_tmp_t:s0 /tmp/pulse-cvPtFlQSQRNj >> >> >> If one is unlabeled_t, then delete it. >> >> If you have any problems with SELinux please open a bugzilla or come to >> #selinux on freenode, there are people there to help you. >> >> >> >> > > Thank you all for your answers and provided help on this subject. > > I was able to successfully setup samba sharing using information from > Fedora Wiki, all is very clear and accurate there (at last for my case). > Sadly after some time I've been informed that some other policy problems > existed related to my setup but I resolved them quickly with alert browser. > Thanks anyway for more hints. > > I have one more question: is there a method to reset selinux attributes on > file system objects to factory defaults, meaning the state after fresh > installation? > > > Mateusz Marzantowicz > If you just used chcon, the restorecon will set them back to the defaults. If you used semanage to change the labels in the labeling database, you would have to remove the records. semanage fcontext -l -C Would list any file context label changes. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAJvocACgkQrlYvE4MpobPJQQCglUhNKwQ0ck YOfHt9Ggp2qoyi P9kAn3XCUBYffBstGnFT4+0tAaw2YT/A =R1VC -----END PGP SIGNATURE----- -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org |
| All times are GMT. The time now is 07:05 PM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.