What are you all doing/have done to boot strap your knowledge about SELinux?
***** ***** ***** Michael D. Parker General Atomics - EMS Michael.d.parker@ga.commailto:Michael.d.parker@ga.com <<<<< NOTE: Remember to include my middle initial >>>>> +1 858 964 6675 / Office 86-1319 16969 Mesamint Street / San Diego / CA / 92127
************************************************************************ CONFIDENTIALITY NOTICE: This communication is intended to be confidential to the person(s) to whom it is addressed. If you are not the intended recipient or the agent of the intended recipient or if you are unable to deliver this communication to the intended recipient, you must not read, use or disseminate this information. If you have received this communication in error,please advise the sender immediately by telephone and delete this messageand any attachments without retaining a copy. *************************************************************************
"Parker, Michael D." Michael.D.Parker@ga.com:
What are you all doing/have done to boot strap your knowledge about SELinux?
It's been a painful process and disillusionment.
SELinux means two distinct things:
(1) A fundamental mechanism. Most introductory material explains this part, and you think it must make sense.
(2) The specific application of SELinux by the Linux distros. This is a vast collection of prebuilt policies and attributes.
The "SELinux" you need to deal with as an administrator or a software developer is mostly (2). The SELinux Proper (1) is as far removed from (2) as semiconductor chemistry is from Java programming. Unfortunately, (2) is also so complicated you shouldn't even think of coming up with a policy on your own. Rather, you should take the distro's policy collection as a given. The distro's administration guide lists the available policies plus the handful of configuration parameters (aka "booleans") that give you limited degrees of freedom.
I don't think SELinux is badly designed or implemented. I think the core problem is that the SELinux approach to Mandatory Access Control cannot work.
Say I want to install a piece of software that doesn't come with my distro. Take Guix, for example. The prebuilt policies don't know anything about it. So, as an admin, what am I to do? What directories and files does Guix need to touch? What kinds of "transitions" do I need to allow? What kinds of labels do I need to introduce to my system? What kinds of tools do I need to use to integrate a Guix policy to the prebuilt policies?
The sad answer often offered to these questions is, don't. Simply monitor Guix running and see the complaints in the system audit log files. Then use a special silencer tool to make SELinux shut up about those observed complaints. After a while you hope you have charted all of the liberties Guix needs to do its work and you make your ad-hoc "policy" mandatory.
Marko
My reading of your comments are that you have found the process of SELinux overly painful to learn on a admin/developer level and more so than it needs to be. As a result, most people disable this additional software protection in order to make their system continue operations without excessive having to take the time to fully understand this facility.
Unfortunately, I am in a situation where it is necessary to make this functionality work for a development project that I am involved with.
Having to become an expert in short order is looking to be a little challenge. I'm up for it. Will definitely prove useful once I understand it.
What I am (and most other admins) looking for is people to ask questions as the various documentation out there has some differences based on when it was written.
***** ***** ***** Michael D. Parker General Atomics - EMS Michael.d.parker@ga.com <<<<< NOTE: Remember to include my middle initial >>>>> +1 858 964 6675 / Office 86-1319 16969 Mesamint Street / San Diego / CA / 92127
************************************************************************ CONFIDENTIALITY NOTICE: This communication is intended to be confidential to the person(s) to whom it is addressed. If you are not the intended recipient or the agent of the intended recipient or if you are unable to deliver this communication to the intended recipient, you must not read, use or disseminate this information. If you have received this communication in error,please advise the sender immediately by telephone and delete this messageand any attachments without retaining a copy. *************************************************************************
-----Original Message----- From: Marko Rauhamaa [mailto:marko@pacujo.net] Sent: Monday, August 01, 2016 3:58 PM To: Parker, Michael D. Michael.D.Parker@ga.com Cc: selinux@lists.fedoraproject.org Subject: Re: --EXTERNAL--Welcome to the "selinux" mailing list
"Parker, Michael D." Michael.D.Parker@ga.com:
What are you all doing/have done to boot strap your knowledge about SELinux?
It's been a painful process and disillusionment.
SELinux means two distinct things:
(1) A fundamental mechanism. Most introductory material explains this part, and you think it must make sense.
(2) The specific application of SELinux by the Linux distros. This is a vast collection of prebuilt policies and attributes.
The "SELinux" you need to deal with as an administrator or a software developer is mostly (2). The SELinux Proper (1) is as far removed from (2) as semiconductor chemistry is from Java programming. Unfortunately, (2) is also so complicated you shouldn't even think of coming up with a policy on your own. Rather, you should take the distro's policy collection as a given. The distro's administration guide lists the available policies plus the handful of configuration parameters (aka "booleans") that give you limited degrees of freedom.
I don't think SELinux is badly designed or implemented. I think the core problem is that the SELinux approach to Mandatory Access Control cannot work.
Say I want to install a piece of software that doesn't come with my distro. Take Guix, for example. The prebuilt policies don't know anything about it. So, as an admin, what am I to do? What directories and files does Guix need to touch? What kinds of "transitions" do I need to allow? What kinds of labels do I need to introduce to my system? What kinds of tools do I need to use to integrate a Guix policy to the prebuilt policies?
The sad answer often offered to these questions is, don't. Simply monitor Guix running and see the complaints in the system audit log files. Then use a special silencer tool to make SELinux shut up about those observed complaints. After a while you hope you have charted all of the liberties Guix needs to do its work and you make your ad-hoc "policy" mandatory.
Marko
On 08/02/2016 01:20 AM, Parker, Michael D. wrote:
What are you all doing/have done to boot strap your knowledge about SELinux?
As a starter I strongly recommend the Selinux Coloring Book ( https://github.com/mairin/selinux-coloring-book ) . You can then continue with the presentation from https://www.youtube.com/watch?v=bQqX3RWn0Yw
Once you feel familiar enough, good reads are the selinux related links from https://docs.fedoraproject.org/en-US/Fedora/ , for instance https://docs.fedoraproject.org/en-US/Fedora/24/html/SELinux_Users_and_Admini... ( and/or the earlier guides, there are several starting from Fedora 13)
And last but not least, do not feel shy to ask in #selinux ( freenode ) or even over here... even if, just like me, your first iteration of a policy is laughable. No one was born with intrinsic knowledge, we all learned and are still learning. And the selinux knowledgeable people from these two avenues are among the best teachers I've met in 30 years of practice
wolfy, adopter of selinux in 2005 and still using it
The approach I used some years ago was to start by reading the NSA docs as best I could, though I did not take them in even close to fully, but I’m still glad I didn’t skip that step. They seem to be here now, I’m out of date at this point https://www.nsa.gov/what-we-do/research/selinux/documentation/
Next I read the some redhat and centos docs for practical steps to get the targeted policy running on my systems - they are a relief at that point! It has boiled down for me to fixing file context rules first and only adding new policy rules when there was a need and it made sense. There have been times when I generated policy blindly with the tool audit2allow just to get something running as being better than nothing. But experience has shown me that it is worth the time when I have it to figure out which of those were needed and which I was better off blocking. SELinux has been my friend in terms of saving me from buggy software as well. Let me know if you’d like some links.
Also this is cool: http://people.redhat.com/duffy/selinux/selinux-coloring-book_A4-Stapled.pdf
Maria
On Aug 1, 2016, at 6:20 PM, Parker, Michael D. Michael.D.Parker@ga.com wrote:
What are you all doing/have done to boot strap your knowledge about SELinux?
Michael D. Parker General Atomics - EMS Michael.d.parker@ga.com <<<<< NOTE: Remember to include my middle initial >>>>> +1 858 964 6675 / Office 86-1319 16969 Mesamint Street / San Diego / CA / 92127
CONFIDENTIALITY NOTICE: This communication is intended to be confidential to the person(s) to whom it is addressed. If you are not the intended recipient or the agent of the intended recipient or if you are unable to deliver this communication to the intended recipient, you must not read, use or disseminate this information. If you have received this communication in error,please advise the sender immediately by telephone and delete this messageand any attachments without retaining a copy.
-- selinux mailing list selinux@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
On Mon, Aug 01, 2016 at 10:20:32PM +0000, Parker, Michael D. wrote:
What are you all doing/have done to boot strap your knowledge about SELinux?
I was reasonably happy with https://www.amazon.com/dp/B00FEFRG4O/ , although what I actually did was disabled unconfined on my system and asked a lot of questions trying to put it back together. :)
I found Sven's cookbook a good first step for when you go beyond sys admin and into policy writing:
https://www.packtpub.com/networking-and-servers/selinux-cookbook
Taking the time to understand how the referece policy is structured will really help, as you will always be using its interfaces in your policies:
https://github.com/TresysTechnology/refpolicy/wiki
There's no real substitute for getting in there and confining your first service though.
Cheers
Phil
From: Robin Lee Powell rlpowell@digitalkingdom.org To: "Parker, Michael D." Michael.D.Parker@ga.com Cc: "selinux@lists.fedoraproject.org" selinux@lists.fedoraproject.org Date: 02/08/2016 17:22 Subject: Re: [selinux] RE: --EXTERNAL--Welcome to the "selinux" mailing list
On Mon, Aug 01, 2016 at 10:20:32PM +0000, Parker, Michael D. wrote:
What are you all doing/have done to boot strap your knowledge about
SELinux?
I was reasonably happy with https://www.amazon.com/dp/B00FEFRG4O/ , although what I actually did was disabled unconfined on my system and asked a lot of questions trying to put it back together. :) -- selinux mailing list selinux@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/selinux@lists.fedoraproject.org
selinux@lists.fedoraproject.org