SELinux usability improvements

Latest response

For a lot of stuff creating custom policy modules, however small, is necessary as part of normal implementation routines.

Doing this process on the CLI of a server is as cumbersome as it is annoying, due to a number of things which should be rather easily solvable

  • Documentation; The Tresys Reference Policy API should have a patched equivalent in Red Hat docs
  • Documentation: The available generic macros are horribly documented, which is unneccessary. They should be within aforementioned API documentation
  • 'auto_require' or something similar: When creating a custom policy, you often have to fill the require block manually, which is a horribly annoying and seemingly unnecessary trial-and-error process. For example; if I use manage_dirs_pattern(), is it really that hard to detect it uses & needs class dir with everything but the kitchen sink in the require block? A lot of interfaces already use gen_require() to do this, but it really shouldn't be that hard to pick up completely automatically.
  • Using kernel_dontaudit_list_all_proc() excludes everything of proc_type, which, as it turns out, isn't a whole lot. More of these attributes are needed on more locations.
  • Compiler errors: Wrong lines are indicated, the errors are unhelpful and undescriptive
  • vim/emacs highlighting is basic at best. It could be loads better and more useful.

Also, I think it's advisable to warn people more of using audit2allow. While a useful tool, it really shouldn't just be trusted.

Responses

I agreed with this post. SELinux is the pain to use. 99% of the servers I built are SELinux disabled first, before setting anything else. It causes so much trouble to setup, and we don't have much time to setup correctly, or troubleshoot. It likes need to have rocket science knowledge to make it working. And I'm just busy sys admin wearing so many hats. ;-)

SELinux for servers is nice, but it's pitiful that Windows has better security for isolating GUI apps than Linux now has.  Proper XACE integration with GNOME is needed, big time.

 

Oracle has Trusted Extensions which isolate communications between applications on different workspaces on Java Desktop System....