Uli on SELinux; Hemispherical Shifts

Ulrich Drepper features in a video in the latest Red Hat Magazine, explaining how to play nicely with SELinux.

One of the common issues we see is breakage of third party applications, where they ship with dangerous bugs in the code, which SELinux will often find. These can be coding errors, such as not closing files on exec, where child processes will inherit the parent’s, or also commonly, linking issues, where the application has not been built correctly. In the latter case, you will typically see some probably unexpected memory-related security checks failing: Dan Walsh has written about this in detail recently.

Ulrich mentions another common issue, where the application simply has no policy written for it. One approach for this is to run the application as an unconfined domain, which of course doesn’t help secure the application itself, but ensures that the rest of the system retains its SELinux protection.

Ideally, the application should have a policy, and Ulrich mentions efforts in education and training to help people better understand this area, as well as improvements in SELinux tools (setroubleshoot) and the development environment (e.g. modular policy).

Another approach that I would suggest, which should be highly effective, is to post details of your application to an SELinux mailing list (fedora-selinux, the main list etc.) and ask for help. In the meantime, you can run the system in permissive mode, which will ensure that labeling is still enforced, and that you can observe the logs for further analysis if required.

Ulrich also mentions more policy being developed internally for packages, with increasing support for user-oriented (as opposed to server-) applications.


Some will know that I’ve recently moved back to Sydney, where I’ll be working in the same role with Red Hat. Linux in the Asia-Pacific region certainly seems to have grown since I left four years ago, as evidenced by the size of the current Sydney RH office compared to the fairly small one I visited then.

They have one of the most amazing views I’ve ever seen in Sydney, stretching from the harbour around to the Blue Mountains. Of course, my tiny camera & lack of skills cannot do it justice.

sydney harbour from the red hat sydney office in north sydney

On a clear day you can see New Zealand

It’s really exciting to be back.