Hacker News new | ask | show | jobs
by zmyrgel 3984 days ago
I spent two days trying to get selinux working with our servers and just gave up again. I have actual work to be done instead of turning the selinux knobs. Something simple as tame would be welcome, zero administrative overhead but plugs few potential security holes.
1 comments
chousuke 3984 days ago
I can't say what you were trying to do, but I've had to set up SELinux several times, and it's always been a fairly simple iterative process:

1. enable permissive mode

2. test application

3. check audit logs for any complaints

4. if no complaints, you're done. enable enforcing mode and test again.

5. otherwise, evaluate the complaints and fix the issues, either by tuning fcontexts (often, a simple path equivalency is enough if you're installing things on nondefault paths, as is common.) or by creating a custom policy module (audit2allow helps), then go to 2.

It's work you should do anyway. Securing an environment is part of setting it up.

link
ghshephard 3984 days ago
The users/sysadmins I've known take the following process:

o Run Application

o Get weird error.

o Google the error, see someone mentioning "This is because of SElinux"

o Google how to "Disable SELinux"

I'm not saying that's what they should be doing, just saying it's what I've observed. What's nice about tame is - there is nothing to enable/disable, it's just part of software.

link
mhurron 3984 days ago
That's pretty much the definition of lazy. Yes, its one more thing that needs to be learned but that is part of the job.

> What's nice about tame is - there is nothing to enable/disable, it's just part of software.

And what's nice about SELinux (if you learn it) is it applies to the system and everything running on it whether or not it's been written for it. You can even put it in a logging only, and use those logs to generate the needed policies. SELinux will tell you what is going on.

What you point out as nice about tame() means that nothing will use it except what is in the core of OpenBSD.

link
ghshephard 3983 days ago
Completely agree with you that SELinux is a better general solution, applies to a broader community of software, and that users, and certainly sysadmins, should take the time to understand how it works, generate policies for the software they use, and take advantages of the security that it provides.
link
throw7 3984 days ago
Years ago when I was trying to simply grok selinux, I ran into the dontaudit rules. That was very frustrating and hair pulling day. I had and have no problem disabling selinux to this day.
link