{"id":11683,"date":"2013-11-13T12:50:18","date_gmt":"2013-11-13T18:50:18","guid":{"rendered":"http:\/\/bucktownbell.com\/?p=11683"},"modified":"2013-11-13T16:31:55","modified_gmt":"2013-11-13T22:31:55","slug":"your-visual-how-to-guide-for-selinux-policy-enforcement","status":"publish","type":"post","link":"http:\/\/bucktownbell.com\/?p=11683","title":{"rendered":"Your visual how-to guide for SELinux policy enforcement"},"content":{"rendered":"<blockquote><p><strong>Note<\/strong>: SELinux does not let you side step DAC Controls. SELinux is a parallel enforcement model. An application has to be allowed by BOTH SELinux and DAC to do certain activities. This can lead to confusion for administrators since the process gets Permission Denied. Administrators see Permission Denied means something is wrong with DAC, not SELinux labels.<\/p><\/blockquote>\n<p>via <a href=\"http:\/\/opensource.com\/business\/13\/11\/selinux-policy-guide\">Your visual how-to guide for SELinux policy enforcement | opensource.com<\/a>.\\<\/p>\n<p>DAC=Discretionary Access Control<\/p>\n<blockquote><p>SELinux is a powerful labeling system, controlling access granted to individual processes by the kernel. The primary feature of this is type enforcement where rules define the access allowed to a process is allowed based on the labeled type of the process and the labeled type of the object.<\/p><\/blockquote>\n<p>For regular users SELinux can be a complete PITA which usually needs to be disabled or set to just log the violation only.\u00a0 I recall in past years installing some service and trying to figure out why it wouldn&#8217;t work until the logs revealed I didn&#8217;t have things set up in a way SELinux wants.\u00a0\u00a0 Currently I try and minimize SELinux violations because it seems like it has a point most of the time.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Note: SELinux does not let you side step DAC Controls. SELinux is a parallel enforcement model. An application has to be allowed by BOTH SELinux and DAC to do certain activities. This can lead to confusion for administrators since the &hellip; <a href=\"http:\/\/bucktownbell.com\/?p=11683\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35],"tags":[101,123,494],"class_list":["post-11683","post","type-post","status-publish","format-standard","hentry","category-operating-systems","tag-security","tag-selinux","tag-tutorial"],"_links":{"self":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/11683","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11683"}],"version-history":[{"count":3,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/11683\/revisions"}],"predecessor-version":[{"id":11688,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=\/wp\/v2\/posts\/11683\/revisions\/11688"}],"wp:attachment":[{"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11683"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11683"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/bucktownbell.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11683"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}