On Saturday 01 March 2008 19:43, Konstantin Svist wrote: > Bruno Wolff III wrote: > > > > Yes there are tools to allow new rules to be added. There is at least > > a command line tool to do this; I am not sure about a GUI tool. > > Yeah, but if I don't understand how any of it works, it's just as useful > to me as the car keys are to a monkey. [snip] > The average Joe won't even go this far - in other words, he won't > understand how to work with it - meaning it's NOT suited for desktops. It isn't important to understand how it works, but what it does. I see regular woes about selinux here on the list, mostly from people who didn't bother to read the manuals (myself included for one thread). Just do man semanage, man chcon, man restorecon and find out that the whole thing behaves just as another layer of file permissions. Windows converts are complaining about "those stupid permissions thing", and after a while they come to understand that it is actually a very useful concept. Old-school Linux people are complaining about "that stupid selinux thing", and after a while they also come to a similar conclusion --- selinux is very useful, and it is no harder to configure than traditional unix file permissions. At least I came to that conclusion. :-) Let's face it --- once upon a time we all needed to invest some energy to learn what chown, chgrp and chmod are for, and how to use them. Now we simply need to do the same for chcon. There is a learning curve for chcon like there was for the other ch* commands, but it pays off in the end. And I hope that soon enough selinux will become locked into enforcing mode with no ability to be shut down, just like ordinary permissions are impossible to turn off. Not running selinux should be considered a security risk in complete analogy with not having permissions implemented on a system. It's the same thing. Learn how to manage it, discipline yourself and live with it. Otherwise, turn off selinux, turn off iptables, log in as root, and pray that your system doesn't get compromised, like Windows users. My 2 cents... ;-) Best, :-) Marko -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list