danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
VMWare wants you to turn SELinux off? Really?
danwalsh
i·ro·ny
1.  The use of words to convey a meaning that is the opposite of its literal meaning: the irony of her reply, “How nice!” when I said I had to work all weekend.
2. an outcome of events contrary to what was, or might have been, expected.

One of the great features of KVM Virtualization is that each virtual machine is wrapped in an SELinux sandbox.   All the software used to run a virtual machine on a host is called a hypervisor.  When you run virtual machines, you have to worry about hypervisor vulnerabilities, which would allow your guest operating system to attack the host or other virtual machines you have running on the host.

We strive to make the Linux KVM Hypervisor as secure as possible, but bugs happen.  SELinux can control what the virtual machine process can and can not do on the host machine.   If you are running virtual machines on you Fedora or Red Hat box, you really should be running SELinux in enforcing mode.

It has come to my attention that VMWare support is suggesting people turn off SELinux...  I guess SELiux is too complicated for the VMWare crack support team to handle.

At Red Hat we consider security a priority, VMWare I am not so sure.

If you are having a problem running any VMWare product on a RHEL or Fedora Operating system, contact me dwalsh@redhat.com and I will help you run your virtual machines and leave the security in place...

Hacking the Cloud
April 2011 "How it Works" issue of Popular Science,   by Marie Pacella


The principal problem is not with the VMWare crack support team; it is with the SELinux crackhead documentation.

For some reason, SELinux developers have just dug-in their heels on this issue. But so long as SELinux is so abominably explained, it is less a security system than a black box with unexplained knobs, accompanied by sheets of Linear A.


What documentation would you like to see?

danwalsh

2012-03-03 01:22 pm (UTC)

Have you opened a bugzilla for documentation that you see missing? RFE?

I am an SELinux developer and I have not dug my heels in on any documentation that I know of.

RHEL has lots of documentation. I publish pretty regularly there is lots of documentation available on access.redhat.com. Fedora has a couple of docs written on SELinux.

http://docs.fedoraproject.org/selinux-user-guide/f12/en-US/
http://docs.fedoraproject.org/selinux-managing-confined-services-guide/en-US/F11/html/

I have recently created over 400 man pages on confined domains, and am working on man pages for each confined user type.


I haven't opened bug reports, and don't expect that I will. Sometimes, the appropriate response to a mess that others have created is to pitch-in and help; but other times it's best just to go home.

A count of man pages is a poor metric for the quality of documentation. The immediate, dire problem with SELinux is in the gateway documentation — written for those unfamiliar with SELinux as they try to develop such familiarity. The ostensible gateway documentation that one finds for SELinux is characterized by lacunæ, by peculiar, undefined terms, and by forward references; it is readily intelligible only to those who have already passed into the citadel (perhaps by participating in its building).

As to the digging-in of heels, the problem is pretty obvious and long-standing, yet it isn't being addressed. Initially, I would attribute it to the fact that some people find it hard to teach well; but, as the problem abides, I wonder increasingly about the desire to collect informational rents, by maintaining a barrier to entry.

In any case, until better documentation is provided, you can expect “turn off that sh_t” to be common advice to users.


Re: Gateway Documentation!

danwalsh

2012-03-06 04:05 pm (UTC)

Well you care enough to comment on a board, although I hate carrying on conversations on a message board. I would suggest that you bring your comments to the Fedora SELinux Mail List and we could further dig into this.

I have pointed you to a couple of "Gateway" docs, but you have not commented on them. Paul Frields pointed you to a RHEL docs on the subject.

I guess I would ask you to point me to a similar Gateway doc on a similarly complex subsystem that you like.


Re: What documentation would you like to see?

pfrields.id.fedoraproject.org

2012-03-03 06:57 pm (UTC)

And don't forget the Red Hat Enterprise Linux documentation:
http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html (http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/index.html)

Edited at 2012-03-03 06:58 pm (UTC)

You are viewing danwalsh