Line 77: | Line 77: | ||
<!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ --> | <!-- The Fedora Release Notes inform end-users about what is new in the release. Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ --> | ||
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns. If there are any such changes involved in this feature, indicate them here. You can also link to upstream documentation if it satisfies this need. This information forms the basis of the release notes edited by the documentation team and shipped with the release. --> | <!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns. If there are any such changes involved in this feature, indicate them here. You can also link to upstream documentation if it satisfies this need. This information forms the basis of the release notes edited by the documentation team and shipped with the release. --> | ||
* | *Old AVC's alerts will be deleted, since the format of the alert database has changed. | ||
Old AVC's alerts will be deleted, since the format of the alert database has changed. | |||
== Comments and Discussion == | == Comments and Discussion == |
Revision as of 19:48, 3 September 2010
SELinux Troubleshooter Redesign
Summary
Redesign setroubleshoot to bring back all possible solutions, and simplify descriptions.
Owner
- Name: Dan Walsh
- Email: dwalsh@redhat.com
Current status
- Targeted release: Fedora 15
- Last updated: Sep 3 2010
- Percentage of completion: 50%
Detailed Description
We are redesigning setroubleshoot to attempt to make it easier do diagnose SELinux problems. In the current setroubleshooter the "best" match is returned for a solution to the custemer. In the new redesign, all matches will be returned. For example if samba tried to read content that it is not allowed, we would like to tell the admin that he could label the content samba_share_t or he could set up SELinux to let samba to share all content Read Only, or Read Write, or samba should not be trying to read this content, it could be a bug or an attack.
We also want to simplify the interface with easier to explain definitions, like
if you want samba to share the entire system read/only, then you need to tell SELinux system about this, by setting the samba_export_all_ro boolean. Execute the following command as root. setsebool -P samba_export_all_ro=1
Benefit to Fedora
Make SELinux easier to administrate.
Scope
Limited impact.
How To Test
Generate different SELinux scenarios to see what the application returns.
- setup vsftpd to share the users homedir.
- ftp into the users homedir.
- Setroubleshoot should fire, check the diagnostics, do they make sense.
- Is sharing the users homedir the highest priority.
- setup samba to share content in /myshares
- Try to access the share remotely
- Setroubleshoot should fire, check the diagnostics, do they make sense.
- Is setting the label to samba_share_t the highest priority.
- setup samba to share /var/log
- Try to access the share remotely
- Setroubleshoot should fire, check the diagnostics, do they make sense.
- Is setting the label to samba_share_t the highest priority.
- setup httpd
- to share users homedirs
- to share content in /var/lib/html
- chcon -t ssh_home_t /var/www/index.html, try to access this file from apache.
- setup /root/.ssh directory, for password free login, chcon -t admin_home_t -R /root/.ssh; ssh into the box, what does setroubleshoot suggest as the solution.
- the setroubleshoot package has a series of avcs in the setroubleshoot/framework/test/audit/data directory, if you cat them to setdispatch, the setroubleshoot tool should fire. What are the suggested fixes? Do they make sense.
User Experience
The gui will change quite a bit. Hopefully becoming a lot less technical.
Dependencies
None
Contingency Plan
We can stick with the current setroubleshoot. No other packages will be affected.
Documentation
Release Notes
- Old AVC's alerts will be deleted, since the format of the alert database has changed.