Revision as of 13:04, 3 September 2010
SELinux Troubleshooter Redesign
Redesign setroubleshoot to bring back all possible solutions, and simplify descriptions.
- Name: Dan Walsh
- Email: email@example.com
- Targeted release: Fedora 15
- Last updated: Sep 3 2010
- Percentage of completion: 50%
We are redesigning setroubleshoot to attempt to make it easier do diagnose SELinux problems. In the current setroubleshooter the "best" match is returned for a solution to the custemer. In the new redesign, all matches will be returned. For example if samba tried to read content that it is not allowed, we would like to tell the admin that he could label the content samba_share_t or he could set up SELinux to let samba to share all content Read Only, or Read Write, or samba should not be trying to read this content, it could be a bug or an attack.
We also want to simplify the interface with easier to explain definitions, like
if you want samba to share the entire system read/only, then you need to tell SELinux system about this, by setting the samba_export_all_ro boolean. Execute the following command as root. setsebool -P samba_export_all_ro=1
Benefit to Fedora
Make SELinux easier to administrate.
How To Test
Generate different SELinux scenarios to see what the application returns.
* setup vsftpd to share the users homedir. ** ftp into the users homedir. ** Setroubleshoot should fire, check the diagnostics, do they make sense. ** Is sharing the users homedir the highest priority. * setup samba to share content in /myshares ** Try to access the share remotely ** Setroubleshoot should fire, check the diagnostics, do they make sense. ** Is setting the label to samba_share_t the highest priority. * setup samba to share /var/log ** Try to access the share remotely ** Setroubleshoot should fire, check the diagnostics, do they make sense. ** Is setting the label to samba_share_t the highest priority. * setup httpd ** to share users homedirs ** to share content in /var/lib/html ** chcon -t ssh_home_t /var/www/index.html, try to access this file from apache. * setup /root/.ssh directory, for password free login, chcon -t admin_home_t -R /root/.ssh; ssh into the box, what does setroubleshoot suggest as the solution. * the setroubleshoot package has a series of avcs in the setroubleshoot/framework/test/audit/data directory, if you cat them to setdispatch, the setroubleshoot tool should fire. What are the suggested fixes? Do they make sense.
The gui will change quite a bit. Hopefully becoming a lot less technical.
We can stick with the current setroubleshoot. No other packages will be affected.