Two SELinux experiences: yum upgrades and sendmail, saslauthd and milters

2007-12-03 01:29
gdt: Kangaroo road sign (Default)
[personal profile] gdt

There is good documentation on upgrading Fedora using yum on the Fedora project wiki. I tried this, and it crashed half way through when changing SELinux policy killed the ssh connection I was using to run yum. The resulting half-upgraded machine took about half a day to recover. It says a lot about the reobustness of Fedora that it was recoverable at all.

If you want to follow the wiki's directions I suggest the following additional steps:

  • Boot into single user mode with SELinux enforcement off. That is, with the parameters enforcing=0 s.

  • Run yum from the console.

After the upgrade I couldn't get sendmail to work with SMTP AUTH or with milters such as SpamAssassin or ClamAV. After a false start (sendmail is picky about file permissions) I tracked this down to a shortcoming in the SELinux policies which prevented sendmail from opening the Unix-domain sockets used to communiate with saslauthd and the milter daemons. Generating a fix to this was surpisingly easy.

grep mail /var/log/audit/audit.log | audit2allow -M local
semodule -i local.pp

I reported the generated fix to the Red Hat Bugzilla. There's already a modified selinux-policy-targeted in Rawhide -- astonishingly fast work which made me feel guilty about the snarky comment I left in the bug report.

Overall the two experiences have made me feel a lot better about the quality of SELinux. It's simple to apply a fix for a less-than-perfect policy and the maintainer is incredibly responsive to bug reports. I also like that it works as advertised on the box: sendmail couldn't open those Unix-domain sockets, and the fix allows access just to the sockets needed, not some hack which undermines security by giving access to all Unix-domain sockets.

When I see an exploit for a bug I sometimes grep the network flow records to see how long it was around before being reported. One month seems pretty typical for my unscientific sample. So even having up-to-date software is insufficient protection. It's nice that SELinux provides an mechanism that doesn't rely on patches. It's going to be essential on Internet-facing servers within a few years.

Tags:
This account has disabled anonymous posting.
(will be screened)
(will be screened)
If you don't have an account you can create one now.
HTML doesn't work in the subject.
More info about formatting

If you are unable to use this captcha for any reason, please contact us by email at support@dreamwidth.org

 
Notice: This account is set to log the IP addresses of everyone who comments.
Links will be displayed as unclickable URLs to help prevent spam.

Profile

gdt: Kangaroo road sign (Default)
Glen Turner

September 2021

S M T W T F S
   1234
567891011
121314151617 18
19202122232425
2627282930  

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags
Page generated 2026-01-03 08:42
Powered by Dreamwidth Studios