Nov 14, 2017

>I don't understand SELinux and I have not found a document that explains for the average Joe like me

This could help: https://people.redhat.com/duffy/selinux/selinux-coloring-boo...

>It took me two nights to figure out that SELinux prevents qemu-libvirt to read certain ROM files that I need.

That is not too hard to imagine. Basically, the rationale is that if qemu/libvirt can read your ROM file, it can probably read other files too, some of which might be sensitive. So the defaults are conservative. Unless your rom file is in a standard location where it expects, it won't read even if the permissions are 644.

>So after scratching my head, I just turned it off altogether

selinux is annoying, but it is worth persisting. Nowadays, most things work well. I think things are bit more stable in RHEL/CentOS than Fedora by definition. So maybe you can try that if you are getting too many selinux related problems.

Aug 10, 2017

Also relavent to permissions:

https://people.redhat.com/duffy/selinux/selinux-coloring-boo...

Feb 02, 2017

Unfortunately, this is an area that could use some work. Tools for writing new policies are a long way away from what they could/should be. If you need something to work with SELinux that doesn't come with a policy you have essentially three options, in order of preference:

1) Develop a new policy from scratch. This is fairly hard, and the tools, such as they are[0], are not great. There's a couple of good resources out there, including [1] which has some good examples, and Dan Walsh's blog [2].

2) Use audit2allow to generate a policy semi-automatically. The resultant policy won't be very clean, and will almost certainly be more permissive than it needs to be, but if 1) is too much work (and I wouldn't blame you for this), then this is the next best thing.

3) Run your binary in the unconfined domain (do something like chcon -t unconfined_exec_t /usr/local/bin/foo), but leave the rest of the system enforcing. This will mean your binary itself is able to do anything, but the rest of the system is still protected.

Oh, and if you haven't read it before, you should definitely check out [3](pdf).

0: http://oss.tresys.com/archive/slide.php 1: https://github.com/TresysTechnology/refpolicy/blob/master/po... 2: http://danwalsh.livejournal.com/ 3: https://people.redhat.com/duffy/selinux/selinux-coloring-boo...

Jan 14, 2017

> I'm still to find a decent document that starts from the simple stuff and lets one build a mental concept of how it works before jumping into the more complicated (real-world) use cases.

Well, there is this:

https://people.redhat.com/duffy/selinux/selinux-coloring-boo...

You can link it to repeat offenders who disable SELinux. (That might not be a good idea.)