home | list info | list archive | date index | thread index

Re: [OCLUG-Tech] SELinux in RPM and targeted mode

  • Subject: Re: [OCLUG-Tech] SELinux in RPM and targeted mode
  • From: "Prof J C Nash (U30A)" <nashjc [ at ] uottawa [ dot ] ca>
  • Date: Wed, 22 Apr 2015 14:16:42 -0400
As far as I could determine, dokuwiki was not in the repository, though
it does seem to have been in the past. "yum install dokuwiki" says it
isn't available, though I certainly agree that install from package is
the right way to go and have the SELinux settings adjusted that way.

I also don't think there was a deliberate inclusion of SELinux by
uOttawa Telfer folk -- it's there in the Centos download. To explore the
issue I got the iso and installed it in VirtualBox and SELinux was
"enforcing" by default. I don't disagree with this, but a bit of hand
holding would be welcome for someone of the Debian religion.

It may or may not be important, but I find both the Telfer VM and my
local VBox Centos machines to be painfully slow compared to Linux Mint,
which itself seems a bit slow compared to CrunchBang or Lubuntu. Just an
observation. We all like things quick.

JN


On 15-04-22 01:50 PM, Allan Fields wrote:
> With discussion on the SE/Linux and restoring file context on site PHP
> files when in enforcing mode..
> 
> One thing I couldn't help thinking and tempted to comment on is: the admin
> should not have to do that by default, when you have a properly package RPM
> file.
> 
> Did you try from the RPM?
> 
> I was not privy of Docuwiki install is by tarball or RPM. But in new RedHat
> EL with targeted policy you can enforce per service and have it add
> required context during installation.
> 
> So in modern CentOS at least, this should be a non issue if using RPM.
> Unless the packager has made a mistake and omit file context in RPM spec
> file header. This might be a bugzilla/feature request item then.
> 
> What I am not clear on is if this works in enforcing mode or not. It's good
> of the people at U of O to keep the secure defaults, even despite potential
> disgruntled users of the image. Because if only to raise awareness of this
> important Linux pedagogical subject in the user community. The risk is
> people saying: Linux is a hassle with all this SELinux or the limes and
> switching to another EXE based installer platform. Not true.
> 
> There should be a linked FAQ that suggests they use Se/Linux enabled
> software install or as on this list, follow guidance sealert. Myself, I
> claim not expertise, but rather have seen any sites force it to permissive,
> to avoid hassle upfront.
> 
> There is also in LPIC-1 and RHCE guides, detailing of which default
> contexts apply to the httpd. But as usual, not nearly the required time to
> tinker with it all.
> 
> They should keep it default enforcing or at least consider "targeted" mode.
> Might get less support calls to IT, if they use targeted.
> 
> 
> [1] SELinux faq - "If the policy shipping with an application package
> changes in a way that requires relabeling, will RPM handle relabeling the
> files owned by the package?"
> 
> https://docs.fedoraproject.org/en-US/Fedora/13/html/SELinux_FAQ/index.html#id3202962
> 
> 
> [2] Centos 6 rpm package: docuwiki
> 
> http://rpm.pbone.net/index.php3/stat/4/idpl/23718441/dir/centos_6/com/dokuwiki-2011.05.25a-10.3.noarch.rpm.html
> 
> 
> Thanks,
> Allan ("Out Here") Fields
> _______________________________________________
> Linux mailing list
> Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca
> http://oclug.on.ca/mailman/listinfo/linux
>