SoylentNews is people
SoylentNews
Jack Wallen asks via TechRepublic
Has SELinux got you down by blocking your apps or causing general havoc? Instead of disabling it, discover how to use the SELinux Alert Browser to solve those problems.
If you're using a Linux distribution that takes advantage of SELinux, such as CentOS, Red Hat, Fedora, or SUSE, you know it can be a blessing and a curse. While SELinux is an incredibly powerful tool that goes a very long way to keep your Linux-powered machines secure, it can be a nightmare to configure. Fortunately, there is a tool called SELinux Alert Browser that can ease those troubles.
With SELinux Alert Browser, you can get quick solutions when SELinux is causing you issues. In fact, you'd be hard-pressed to find an easier route to solving your SELinux-based headaches.
[...] The Troubleshoot button will reveal possible actions you can take to resolve your issue. In some cases sealert will instruct you how to have SELinux stop auditing the issue; in other cases sealert will show how to generate a new policy module that allows an object (such as xenconsoled) access to a resource.
When SELinux Alert Browser makes suggestions, they will be in the form of commands you can run to solve the problem. If you agree with the suggestion offered by sealert, go back to the Terminal window and issue the suggested command(s). Hopefully, your issue will be resolved. If you're unsure that access should be allowed, I highly recommend doing research before issuing the suggested command(s).
Any Soylentils ever get so fed up with SELinux that you just disabled it? Think this might have avoided that?
(Score: 3, Insightful) by jmorris on Sunday February 12 2017, @06:03PM
Yes, if you do something utterly ordinary it all 'just works' but the slightest variation and everything breaks. Put home directories on NFS and watch how many SELinux rules explode. And that is a very common use case, isn't it? Then it gets worse. Go back to that web server of yours and try anything interesting. It is probably better now but mod_perl would break SELinux. Whut? Do they even test these things before enabling it by default? At RedHat? These are the morons who kept sound broken on Linux during the entire window of opportunity when people wanted off of Windows Vista. But because everyone is downstream of RedHat's alien tech it didn't matter what distro you used it was broken.
I think we need to admit there is a problem here. RedHat's economic incentives are all wrong. Their revenue model depends on Linux remaining stable on the server but not simple. And they do not really care what happens to the desktop. At all.
(Score: 0) by Anonymous Coward on Sunday February 12 2017, @07:53PM
My experience with SElinux exactly.
I've tried numerous times to tackle SElinux, and have never succeeded. Most of the blame is on the Fedora policykit being bad and lacking documentation.
Last time I just got mad at it, when I discovered Fedorapolicykit had rules for executables that didn't exist on my system. These rules enabled access when those executable exist ... but since they don't exist on my system, that's a security hole if an attacker can create one of those files. Such rules should only be added when the package is installed, i.e. at installation time.
I used to leave it in nag mode, now I just disable it.
(Score: 0) by Anonymous Coward on Sunday February 12 2017, @08:46PM
I've tried numerous times to tackle SElinux, and have never succeeded
So, do you think that the Soyvertised app and Jack's little tutorial might increase your chances of success in the future?
...or are you never looking back.
mechanicjay (Fristy) mentioned AppArmor.
Have you already gone that route?
-- OriginalOwner_ [soylentnews.org]