Chris's Wiki :: blog/linux/FHSNotAlwaysRightII Commentshttps://utcc.utoronto.ca/~cks/space/blog/linux/FHSNotAlwaysRightII?atomcommentsDWiki2011-01-18T08:51:04ZRecent comments in Chris's Wiki :: blog/linux/FHSNotAlwaysRightII.From 80.254.147.20 on /blog/linux/FHSNotAlwaysRightIItag:CSpace:blog/linux/FHSNotAlwaysRightII:3295347fccda7377a6d4bbb6d585741b82dd36beFrom 80.254.147.20<div class="wikitext"><blockquote><p>my core issue is just a Fedora/RHEL grump</p>
</blockquote>
<p>Linux distributions are very much a tempestuous love/hate relationship :)</p>
<p>By default SLES and Ubuntu (not sure about Debian) use AppArmor as their mandatory access control (MAC) with SELinux available. I’m unaware of AppArmor availability for RHEL/CentOS, but thanks to a quick update from Wikipedia I’m now informed “AppArmor was integrated into the October 2010, 2.6.36 kernel release” so it’s use could become more widespread.</p>
<p>AppArmor/SELinux are also on my ever growing list of technologies I really should be familiar with (that list grows far too quickly). From what commentary I’ve read AppArmor is less complex and is a little easier to work with due to its learning mode which can produce a profile and that it works on paths rather than SELinux use of "security labels" on files/inodes (SELinux proponents would counter argue that AppArmors access control is less comprehensive).</p>
<p>As with most things I suppose it’s a matter of understanding the differences, the implications of those differences and choosing what is most aligned with your needs. Of course gaining that understanding requires evermore of that scare resource – time.</p>
<p>Just to save some typing:<br>
<a href="http://en.wikipedia.org/wiki/Mandatory_access_control">http://en.wikipedia.org/wiki/Mandatory_access_control</a><br>
<a href="http://en.wikipedia.org/wiki/Security-Enhanced_Linux">http://en.wikipedia.org/wiki/Security-Enhanced_Linux</a><br>
<a href="http://en.wikipedia.org/wiki/AppArmor">http://en.wikipedia.org/wiki/AppArmor</a><br>
<a href="http://en.wikipedia.org/wiki/Comparison_of_Linux_distributions#Security_features">http://en.wikipedia.org/wiki/Comparison_of_Linux_distributions#Security_features</a><br>
</p>
<p>Great blog Chris, thanks for the informative commentary.</p>
<p>S</p>
</div>2011-01-18T08:51:04ZBy Chris Siebenmann on /blog/linux/FHSNotAlwaysRightIItag:CSpace:blog/linux/FHSNotAlwaysRightII:f00353494f9e1cc525e3372d064e8a2b0f0254bcChris Siebenmann<div class="wikitext"><p>You're right; my research is based on Ubuntu (with an assumption that it
applied to Debian as well) and Fedora/RHEL (I don't count them as separate
distributions for this sort of stuff). I didn't look at others, and I should
have.</p>
<p>Now that I start looking, I wonder just how widely supported SELinux is
at all. SLES 11 doesn't support it, Ubuntu may support it but doesn't
make it the default (it doesn't even install the tools by default),
Debian seems similar to Ubuntu, Gentoo has vague gestures at support,
and after that I lost interest. It's probably the case that my core
issue is just a Fedora/RHEL grump.</p>
</div>2011-01-17T17:18:07ZFrom 80.254.147.20 on /blog/linux/FHSNotAlwaysRightIItag:CSpace:blog/linux/FHSNotAlwaysRightII:3186f864ad06429a3b764c0972f799f1677d21ffFrom 80.254.147.20<div class="wikitext"><p>"I meant no distribution uses it and configures programs to use it and so on."</p>
<p>Easy tiger - that's quite a sweeping statement that I'm guessing is not backed up with research you can show.</p>
<p>SUSE Linux Enterprise Server (SLES) uses "/srv" by default for at least Apache virtual hosts and the default location for an FTP server.</p>
<p>There's probably more, but ther're the two configured by defauklt on my rather minimal install.</p>
</div>2011-01-17T15:42:07ZBy Chris Siebenmann on /blog/linux/FHSNotAlwaysRightIItag:CSpace:blog/linux/FHSNotAlwaysRightII:86b6874ac72ee77f033c360f83f15c725f7ba4a6Chris Siebenmann<div class="wikitext"><p>To clarify: by 'no one uses it', I meant no <em>distribution</em> uses it and
configures programs to use it and so on. Individual sysadmins can use
<code>/srv</code> just as much as we can use anything else, but that doesn't help
with things like SELinux.</p>
<p>(Even if distributions can't put files in <code>/srv</code>, they could mention
it in configuration examples. I've never seen any mentions of it in
sample and default config files, even as comments saying 'if you have
a lot of stuff, uncomment this stanza to put it in the FHS location
for that, <code>/srv</code>'.)</p>
<p>As for <code>/srv</code> being mentioned in SELinux configurations: on the machines
I have with SELinux packages, the coverage is incomplete. For example,
neither PostgreSQL nor MySQL have their SELinux stuff set up to work with
<code>/srv</code>.</p>
</div>2011-01-17T14:04:51ZFrom 194.74.151.201 on /blog/linux/FHSNotAlwaysRightIItag:CSpace:blog/linux/FHSNotAlwaysRightII:67c13a21407ad30f87b6776ad2f948f1c8b55b28From 194.74.151.201<div class="wikitext"><blockquote><p>That's the problem; no one uses it.</p>
</blockquote>
<p>Seriously? Based on what information?</p>
<p>Software doesn't ship with it's configuration files pointing at /srv because package management explicitly states that packages shouldn't touch it. That serves as no indication as to how <em>you</em> should use /srv though. A cursory grep through /etc/selinux/targeted/contexts/files on EL5 shows a number of default contexts for places that you can relocate data under /srv.</p>
<pre>
/srv/.* system_u:object_r:var_t:s0
/srv/([^/]*/)?ftp(/.*)? system_u:object_r:public_content_t:s0
/srv/([^/]*/)?web(/.*)? system_u:object_r:httpd_sys_content_t:s0
/srv/([^/]*/)?www(/.*)? system_u:object_r:httpd_sys_content_t:s0
/srv/([^/]*/)?rsync(/.*)? system_u:object_r:public_content_t:s0
</pre>
<p>- Dan Carley</p>
</div>2011-01-17T10:16:00ZFrom 83.150.82.85 on /blog/linux/FHSNotAlwaysRightIItag:CSpace:blog/linux/FHSNotAlwaysRightII:ff92906264f817fef66c2d6e1c3c26cba443b1fbFrom 83.150.82.85<div class="wikitext"><p>Isn't /srv supposed to be untouched by the package systems like /opt according to FHS? That said, packages should be built so that the user can configure them to use /srv if it pleases the user.</p>
</div>2011-01-17T09:04:08ZFrom 77.249.14.105 on /blog/linux/FHSNotAlwaysRightIItag:CSpace:blog/linux/FHSNotAlwaysRightII:51c099b5260997262956550e2fec244fddf16a00From 77.249.14.105<div class="wikitext"><p>that's not true, we use /srv for all our nfs shares that get mounted by esx, for instance. And also for quite a big sybase database. So there is at least one company using /srv.</p>
<p>On your selinux rants: just learn how to use it. It's trivial if you rtfm. The centos wiki has quite a nice guide to it.</p>
<p>--
natxo</p>
</div>2011-01-17T07:05:29Z