More SELinux
Proceeding with my SELinux experience wrapup:
- never call
/etc/init.d/something
. Userun_init /etc/init.d/something
. It usually will appear to have worked, but the contexts will be wrong and you’ll get odd violations. (i’ve read that the fedora guys have found a way for at least cron to transition into its proper domain automatically) - never use
apt-get
ordpkg
in a modifying call directly. Usese_dpkg
andse_apt-get
. In fact i recommend adding an alias. (you’ll survive having to enter your password for things like “dpkg -L
”, or use/usr/bin/dpkg
) I bet these things could be avoided if one would makeapt-get
anddpkg
selinux-aware, but unless selinux is in main i prefer this wrapper-solution. - avoid things like “audit2allow”. Try to understand the macros and write proper policy rules. Use “dontaudit” when the access is not needed. For example:
dontaudit { dpkg_t apt_t } newrole_t:fd { use };
Fucked today in unstable: cron. If you don’t need “crontab
”, you can just touch /usr/bin/crontab and it will configure and cron should run. But no crontab editing until the next upload (which probably is in incoming)