Arthur Pemberton wrote:
I don't think anyone complaining here has read the docs, but still, this link may also help: http://fedoraproject.org/wiki/SELinux
My opinions were formed by reading the documentation available at nsa.gov concerning the goals of and means used by SELinux. Neither the goals nor the means, as described by the originator of SELinux, do I consider to be of value for my particular situation. Since SELinux is not "small", and it has a pervasive effect upon applications (the docu you point to mentions approximately 50 apps required change, not to mention the kernel and libraries) it is not something which I wish to install, let alone run. Having SELinux is sure to introduce defects. However, since you seem to feel that Fedora's description might be more appealing for some reason, I went to the link you suggest, and read everything under "Understanding SELinux". After doing that, I find myself completely unmoved in my position. In fact, the description I found there was less informative than NSA's website. Incidentally, the documentation you suggest reading states both that most apps can remain "SELinux unaware" and let the policy makers handle everything, and that "leaving apps SELinux unaware" may lead to confusing the app and user both, since all access rights may be correct, but the app simply gets "access denied". My understanding and opinion of SELinux' goals and means are both unchanged. If I had a huge installation of highly sensitive information and needed to be able to tell my bosses that I was doing everything I could to protect it, regardless of how really useful or effective the techniques used would be, then I'd install and run SELinux. We used to say "no one ever got fired for buying IBM". For my machine, which has exactly one real user, and no sensitive information on it at all (only private information), I believe that the disadvantages far outweigh the advantages. There are exactly three users which can actually log on to my machine: root me bird That last one is a user I created recently, and which runs only in a chroot jail. I created it specifically for experimenting with chroot. It appears to me that RH is courting large corporate or government users where political considerations and the ability to dodge responsibility are important, rather than stand-alone small desktop systems with single or just a very few actual users. That's fine. It does mean that RH products and their derivatives are not appealing to me. I think it would be better if they had the option simply not to install. I don't understand any rancor on any side of this issue. Mike -- p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);} Oppose globalization and One World Governments like the UN. This message made from 100% recycled bits. You have found the bank of Larn. I can explain it for you, but I can't understand it for you. I speak only for myself, and I am unanimous in that! -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list