The problem with SELinux (still)

November 13, 2012

Here's a list of almost all of the bugs that got fixed in recent Fedora 17 SELinux policy update:

867107 - SELinux is preventing /usr/sbin/in.tftpd from using the 'dac_override' capabilities.
868656 - SELinux is preventing /usr/bin/python2.7 from using the 'sys_nice' capabilities.
868866 - SELinux is preventing /usr/sbin/fping from 'create' accesses on the rawip_socket .
869468 - SELinux is preventing tuned from using the 'setsched' accesses on a process.
871097 - SELinux is preventing haveged from 'read' accesses on the file meminfo.
872768 - SELinux is preventing /usr/sbin/rpc.statd from 'write' accesses on the sock_file rpcbind.sock.
872894 - SELinux is preventing /usr/libexec/nm-openvpn-service from 'open' accesses on the file /home/karl/.cert/klatiss.key.
873030 - SELinux is preventing /usr/bin/dbus-daemon from 'write' accesses on the blk_file /dev/sdb.
873393 - SELinux is preventing /usr/bin/qemu-system-x86_64 from using the 'execmem' accesses on a process.
846001 - type=AVC msg=audit(1344196154.847:445): avc: denied { create } for pid=6975 comm="rhnsd" scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:rhsmcertd_t:s0 tclass=unix_dgram_socket
868456 - SELinux is preventing freshclam from search access on the directory amavisd.
870659 - SELinux is preventing agetty from access on ttyUSB0.
821189 - SELinux is preventing polkit-agent-he from using the 'setsched' accesses on a process.
860226 - SELinux is preventing /usr/sbin/nslcd from 'name_connect' accesses on the tcp_socket .
865328 - SELinux is preventing /usr/lib64/nspluginwrapper/npconfig from 'getattr' accesses on the filesystem /.

I want to emphasize that this is a completely typical bug list for a completely typical SELinux policy update. I have not cherry-picked an unusually long one; they are pretty much all like this.

Fedora has been using SELinux for years, probably at least half a decade by now. It is still fixing many, many instances where SELinux gets in the way of programs doing legitimate things that people want them to do. The progress that it has made in literally years is at best that these are somewhat more obscure programs doing somewhat more unusual things than they used to be. Using SELinux in non-mainstream environments still means a steady rain of these denials, all of them getting in your way.

(Distributions have spent years desperately trying to make it easier to deal with this rain, but it is still a pain in the rear. I run into it periodically on my laptop, which I still masochistically have SELinux turned on on.)

Note that this is not using SELinux in non-default configurations. These bugs are all (I assume) from stock configuration systems that SELinux just didn't quite cope with correctly.

At a meta-level all of these bugs happen because doing a complete inventory of legitimate program behavior is very hard, especially because it's not something that can be done automatically (at least currently). A fallible human has to stare a lot at a program to write its SELinux policy, and if they miss something you get another one of these bugs. People miss obscure corner cases a lot, especially when they are not intimately familiar with all of the aspects of the software.

Also, these are only the bug fixes for the bugs that people actually reported to Fedora. Since reporting Fedora bugs involves more than a little bit of work and pain I assume that any number of people don't bother to report SELinux problems that they run across; they either just tell the system to make things work or they turn SELinux off entirely.

(See also.)

Comments on this page:

From at 2012-11-14 03:27:47:

I have not had any problems running SELinux enforcing mode since fedora 8 or 9.

Since I run now centos 6 (equivalent of fedora 12) I no longer know what the status is in fedora nowadays. In rhel/centos I do not have any problems (50+ servers in enforcing mode and counting).

So while it is true that bugs are actively being fixed, the product actually works out of the box in most cases for the production releases of rhel/centos (which is what I care about, to be honest). I have other things to do than to reinstall my laptop every 6 months or 1 year.

Written on 13 November 2012.
« A potential path to IPv6
A learning experience: internal mail flow should never be allowed to bounce »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Nov 13 17:17:09 2012
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.