On Saturday 11 October 2008 14:19, Tom Horsley wrote: > On Thu, 9 Oct 2008 12:02:52 +0000 > Marko Vojinovic <vvmarko@xxxxxxxxxxx> wrote: > > In general, you want a system with active selinux as much as a system > > with file permissions. Security. > > In general, I want a system where it is possible to get things done, > and all of the security types in the universe believe that just one more > little obstacle won't hurt anything because, after all, it is to improve > security. I fail to see where selinux interferes with the possibility to get things done -- err, to get things done *properly*. Selinux is intended to be completely transparent and to require zero user intervention, and is pretty much getting there (I had only one issue with it on F9 so far). However, - if you want to do something that is not compatible with the selinux policy (and that begs for a "why?"), you have to explicitly override selinux (use chcon); - if you want to do something that is not compatible with file permissions (and that begs for a "why?"), you have to explicitly override file permissions (use chmod, chown and chgrp); The way I see it, selinux is behaving simply as a more sophisticated file-permissions system. However, I see noone yelling and bitching about file perms, only about selinux. Your "get things done" argument could be well extended to perms, and I don't see anyone moaning about that. People are used to using ch* commands to change file perms as they see fit --- they should also get used to using chcon to adapt selinux to their needs. You disable selinux in order to "get things done" with less hassle (and less security). Do you also login as root instead of ordinary account (in X, on a daily basis) in order to get things done with even less hassle (and even less security)? Look at Windows users who use admin account routinely --- where should one draw the line between usability and security? For me, selinux works transparently and I have no problems with it. If a problem arises, I usually try to understand *why* this happened. Then, if possible, I modify my task to do it the Right Way, avoiding selinux trouble automatically. If not possible, I modify selinux to allow me access to what is securitywise Not A Good Idea, and I take my chances with it. HTH, :-) Marko -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
