From: Karl MacMillan <kmacmillan@mentalrootkit.com>
To: Daniel J Walsh <dwalsh@redhat.com>
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: Re: Elimination of disable_trans boolean ramifications
Date: Mon, 26 Mar 2007 16:12:13 -0400 [thread overview]
Message-ID: <1174939933.15046.3.camel@localhost.localdomain> (raw)
In-Reply-To: <46081AE0.5070703@redhat.com>
On Mon, 2007-03-26 at 15:11 -0400, Daniel J Walsh wrote:
> Karl MacMillan wrote:
<snip>
> >
> > So - I like this idea from a technical point-of-view. The only concern
> > is that users are used to looking for a booleans for this type of thing.
> > There is some hope that they would discover the changed booleans poking
> > around a gui tool or using g/setsebool. I don't think most users would
> > never think to create a module to make a domain unconfined. Plus, the
> > directions on how to do this go from a single command to several.
> >
> > I've heard concern that the number of booleans is growing too large. I
> > would suggest that if that is your motivation for avoiding booleans that
> > we find a way to organize them instead.
> >
> > Karl
> >
> I think turning a domain unconfined_domain should be the last resort.
> (Or I guess better then chcon -t bin_t EXEC)
>
> I think adding a boolean makes it too easy for them.
>
I'm afraid that turning off selinux will be easier. I would rather a
user have a few unconfined domains than no selinux at all.
> The response to an AVC would be best if it involved the following:
>
> 1. Ignore AVC if the app works. Reporting a bugzilla against the package
> that created it. Leaked file descriptor or daemons trying to talk to
> terminals are classic examples of this.
> 2. If setroubleshoot suggests a boolean or file_context to set then set
> it and see if the app works.
> 3. audit2allow -M myEXEC -i /var/log/audit/audit.log to "fix" the
> policy for the app (BUGZILLA)
> 4. New tool to create unconfined_domain policy package for running
> daemon unconfined (BUGZILLA)
> 5. chcon -t bin_t EXEC (BUGZILLA)
> 6. setenforce 0 (BUGZILLA)
> 7. selinux=0 (BUGZILLA)
>
I agree up until 4, which I'm afraid will become goto 6 instead. Both 4
and 5 require that the user have some idea of what to do and there are
no "bread crumbs" for them to follow to get there. Considering how long
we have been pushing the disable_trans booleans I hesitate to change
that process radically.
Karl
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2007-03-26 20:14 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-03-23 17:41 Elimination of disable_trans boolean ramifications Daniel J Walsh
2007-03-23 18:52 ` Daniel J Walsh
2007-03-28 18:09 ` Christopher J. PeBenito
2007-03-26 16:43 ` Karl MacMillan
2007-03-26 19:11 ` Daniel J Walsh
2007-03-26 20:12 ` Karl MacMillan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1174939933.15046.3.camel@localhost.localdomain \
--to=kmacmillan@mentalrootkit.com \
--cc=dwalsh@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.