[olug] SELINUX, you irritate me

Tue Jul 16 14:44:12 CDT 2019

So when SELinux came out ages ago, I quickly developed a strong distaste 
for it.  It felt like it was more likely to do harm than good, like a 
security guard in your building who insists on quarantining your 
groceries to make sure you're not a drug smuggler.  I found I had to 
shut SELinux off to get things to work.

Years later, I am finally conceding that SELINUX is here to stay, and 
it's time to learn to love it (or at least tolerate it).  Here's how I 
finally got on SELinux's side:

1)    Throw SELinux into "permissive" mode by editing 
/etc/sysconfig/selinux and rebooting.  (If SELinux had been "disabled", 
upon reboot, SELinux is going to have to relabel all the files on your 
system.  This is actually pretty quick, unless you've got directories 
and directories and directories of files.  I had to do this on a couple 
servers that had years of daily snapshots on them, and after a couple 
days the relabeling wasn't done.  I eventually deleted most of the old 
backups -- kept one backup per month, and only since Jan 2018 -- and the 
relabel took under 10 minutes.  Math-wise, I suspect the relabeling does 
not scale linearly with the number of files, but perhaps with the square 
of the number of files.)

2)    After the reboot, you can run "audit2why -b" and "audit2allow -b" 
to get information on opertaions that SELinux has noted have violated 
policy since booting.  (There are options other than "-b", but I'm just 
talking about how to make SELinux reasonable.  And to me, it's pretty 
reasonable to look at how it's been doing since the last boot.)

3)    You can run "audit2allow -b -M newrules" to create a file, 
"newrules.pp", that contains SELinux rules necessary to allow all the 
operations that were violating policy.  You can load it by running 
"semodule -i newrules.pp".  You can also look at "newrules.te" to see a 
more visually understandable list of new rules.  Now I won't claim to 
fully understand what the rules are, but I can generally see processes I 
recognize and take it on faith that they're trying to do something 
reasonable.  Like recently I found this entry in newrules.te:

     allow dhcpd_t unlabeled_t:file { append getattr link map open read 
unlink write };

I could do some digging to try to figure out exactly what file it's 
trying to get at.  However, I also know that I've got some custom code 
that creates and overwrites files in /var/lib/dhcpd, so it seems likely 
that SELinux finds my custom code questionable.  Okay SELinux, you win, 
I'll let you have that rule.

4)    After applying new rules, reboot.  Maybe do another "audit2allow 
-b" to see if anything is still coming up.

5)    Every few days, see if SELinux is still coming up with messages 
and warnings.  Hopefully you'll reach a  point where SELinux goes for 
days without having any complaints.

6)    Once you're satisfied that SELinux seems to be pretty happy with 
things, THEN is when you switch SELinux to "enforcing", over in 
/etc/sysconfig/selinux.

All that work to get SELinux properly tuned for your system.  But I ... 
guess it makes things better?  People either love SELinux or hate it 
with a passion, there seems to be no middle ground, and I think I see why.