SELinux is a rather impressive, if not annoying efficient process and access-based security system for Linux. I currently enjoy the warm, affectionate glow of alerts on Fedora 8.
As useful as SELinux can be, there are easy ways to make it squeal like a stuck pig (i.e. complain frequently.) My last "stuck pig episode" included a few 25M log files of nothing but squealing. At issue, was a mislabeled file that sendmail wanted to access. After causing my internal email to queue up more than 4000 messages, I decided to work on it.
If I had the specific path to the offending object(s) listed in the alert message, I could have solved this problem with something like:
Common net-thinking is that the default labels are occasionally fouled when some updates occur. They are most likely fouled more frequently by users editing in their home directory and promoting them into a new location on the file system without handling the security labeling (which is actually the point of this kind of security: know what you are doing and tell the OS what is and isn't OK to do.)
After trying to use the alert system's recommendation, I finally looked for a more blunt instrument (the alert needed to have an absolute path for the offending element so that I could have a change to locate and fix it.)
So, I went to my friend, my buddy, my pal: Google. Google told me (indirectly) to look here for this pearl of wisdom:
As useful as SELinux can be, there are easy ways to make it squeal like a stuck pig (i.e. complain frequently.) My last "stuck pig episode" included a few 25M log files of nothing but squealing. At issue, was a mislabeled file that sendmail wanted to access. After causing my internal email to queue up more than 4000 messages, I decided to work on it.
If I had the specific path to the offending object(s) listed in the alert message, I could have solved this problem with something like:
# Fedora 8: tell SELinux to restore
# default security labels to a file
# or directory:
/sbin/restorecon 'services'
/sbin/restorecon -R '.'
Common net-thinking is that the default labels are occasionally fouled when some updates occur. They are most likely fouled more frequently by users editing in their home directory and promoting them into a new location on the file system without handling the security labeling (which is actually the point of this kind of security: know what you are doing and tell the OS what is and isn't OK to do.)
After trying to use the alert system's recommendation, I finally looked for a more blunt instrument (the alert needed to have an absolute path for the offending element so that I could have a change to locate and fix it.)
So, I went to my friend, my buddy, my pal: Google. Google told me (indirectly) to look here for this pearl of wisdom:
# Fedora 8: tell SELinux to restore
# security labels to all files:
touch /.autorelabel
reboot
This operation asks SELinux to reapply the default security labels to all files on the file systems after a reboot. This "relabel them all and let Root sort them out" approach may have solved more problems than I knew.
Note: I am not running any custom policies yet so there wasn't a conflict for me.
Note: I am not running any custom policies yet so there wasn't a conflict for me.
No comments:
Post a Comment