On Wed, Jul 26, 2017 at 4:31 PM Christian Hammond <[email protected]> wrote:
> Hi Florian, > > This may be caused by SELinux. I know the RPMs for stable releases contain > SELinux rules for this, and maybe those can be extracted and used here. (I > want to start shipping those ourselves as well.) > > Sorry, I just happened to notice that you also mentioned "I want to start shipping those ourselves as well". Unfortunately, SELinux rules are *really* complicated and for most applications it would be nearly impossible to ship them independently. That's why we (Fedora) bundle everything together into the selinux-policy package. The way SELinux rules work is through a combination of label-based restrictions and *transitions*. In other words, we assign every file, process and action on the system a label of some kind and then we define a set of transition rules that determines what files that processes with that label have permission to access. We also add "booleans" that allow changing wide swaths of behavior for specific common needs. So, for example, the default SELinux policy on HTTPD allows Apache to access only the files located in /var/www/html. So even if someone was to exploit the Apache server, the kernel would prevent them from using that to attack more of the system. However, this is not particularly useful when setting up a modern application; we want to be able to access a database and use memcache for faster performance. Since these are common activities, SELinux booleans exist that relax the restrictions so that the application is allowed to do this. It *does* mean that a successful attack against Apache could also be used as a jumping-off point to attack those other services, but that's a reasonable and calculated risk. The way these transitions are written is very complicated and in many cases cannot be generalized because it will depend on what labels the distribution you're using has settled on for some other actions. As an example, I could set up a rule that allows the "httpd_t" label to transition to "network_db_t" to access PostgreSQL and that would work fine... unless the distro you are running on arbitrarily decided that they were going to call it "apache_httpd_t" instead... Your rules would still exist, but they wouldn't be used by the system because it wouldn't match the requests being made. This is an overly-simplified example. You should see how complicated it gets when dealing with desktop applications! tl;dr: If you discover any places where SELinux is getting in the way, please report it to the SELinux maintainers of whichever distribution is experiencing the issue. On Fedora, you can either let me know or file a bug against the selinux-policy package at https://bugzilla.redhat.com -- Supercharge your Review Board with Power Pack: https://www.reviewboard.org/powerpack/ Want us to host Review Board for you? Check out RBCommons: https://rbcommons.com/ Happy user? Let us know! https://www.reviewboard.org/users/ --- You received this message because you are subscribed to the Google Groups "reviewboard" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
