Re: SELinux: friend or foe?

From: Chris (tpacpl92_at_yahoo.com)
Date: 01/19/05 

Date: Wed, 19 Jan 2005 17:04:41 GMT

On Wed, 22 Dec 2004 00:34:51 +0000, Kevin Collins wrote:

> In article <pan.2004.12.21.22.18.11.360574@you.now>, Ivan Marsh wrote:
>> On Tue, 21 Dec 2004 20:35:12 +0000, noi wrote:
>>
>>> On Mon, 20 Dec 2004 19:34:40 -0800, prg thoughtfully wrote:
>>>> Ivan Marsh wrote:
>>>>> Hey folks,
>>>>>
>>>>> Anyone else out here trying to get themselves up to speed with
>>>>> SELinux?
>>>>>
>>>>> It sounds like a very powerful tool... if I can figure out how to use
>>>>> it.
>>>>>
>>>>> I've, so far, managed to lock myself out of my own system on two
>>>>> separate occasions. Happily I was able to recover without too much
>>>>> trouble.
>>>>>
>>>>> Just wondering if anyone has any insights, opinions or good resources
>>>>> to share.
>>>>
>>>> Surely you jest. Google "selinux" and ... Results 1 - 50 of about
>>>> 578,000 English pages for selinux
>>
>> Can I assume you have selinux running in strict mode? Perhaps you have
>> something of value the group might want to know about?
>>
>>>> Should keep you busy till summer anyway.
>>>>
>>>> BTW, your near misses are pretty common -- in fact, complete lockout
>>>> does happen.
>>>>
>>>> http://fedora.redhat.com/docs/selinux-faq-fc2/ my point and click offer
>>>> of the day
>>
>> Yea, I've read that... I've also read the NSA data on it... and about 50
>> other papers describing its use. I have a pretty good grasp of the
>> concepts behind it but none of the practical knowledge I'd like to have.
>>
>> I want to actually know how to use it beyond setting disabled to enabled,
>> and talk to others that are trying to figure it out.
>>
>>> Duh, I don't think he was joking. SELinux ain't easy at least in FC2 it
>>> ain't. Lots of cleaning and fixing and even then some cron jobs won' t
>>> run. And that's in warn mode.
>>
>> I wasn't kidding. I'm glad it's not just me that finds doing anything with
>> selinux besides running the pre-built targeted policy a bit daunting. Even
>> the targeted policy that comes with FC3 prevents LAMP from working
>> properly.
>>
>> I'm going to keep working on it until I get it figured out and would like
>> to hear from anyone doing the same so we can compile a "what's going to
>> screw you" FAQ for selinux.
>
> I also read something recently (somewhere on redhat.com) that SElinux on FC3 is
> changed quite a bit from FC2, and IIRC, it will be much more restricted to
> certain services... So, you may want to research more on the FC3 version since
> thats where things are (currently) leaning.
>
> Kevin

I think I have to label it a foe at this point! It locks things out
ramdomly it seem. Loaded FC3 on 3 pc's and a laptop and the problems are
different on every one. Actually works better on the laptop than anything.
I even have to be root to play games online! Not a good thing!!