Re: Selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Wayne Feick wrote:

Generally speaking, in the security world you default to the most restrictive behavior and administrators loosen up the restrictions as needed. This, of course, tends to annoy everyday users who don't realize all the insecurities of what they want to do, and just want it to work. I mean, all those flashing red lights and sirens can be annoying when all I want to do is start a little campfire over there next to the gas cans.

Make sense?

Well, yes. But we're not talking about setting a campfire next to gas cans. I think we're overdoing the analogies.

I understand your rationale, but at some point, a security tool that gets in the way will cease being a security tool - and generally in a very dangerous way. If we want to extend your already tortured analogy a little, it's kind of like having a wall between the gas can and the campfire, but the only way to get to the wood to start the fire is to enter a code into a little door in the wall. And you can only take out one at a time. Eventually you'll just chop down the wall, and to hell with the consequences. And possibly use it for wood, but that's a different analogy that doesn't yet have a real world case. I'm sure we'll find one. :-)

It would be at least a nice thing to have a tool that asks you if you're doing some common things that selinux doesn't by default allow, make sure that's what you want to do, and set up selinux to allow them. At least then most people won't need to worry about it, but it might make common tasks easier for someone who really doesn't know what they're doing.

But I still maintain that things like firefox, which is a default install with no real changes to it, should never trigger an AVC alarm. A default Fedora install, with no local modifications to it, should never trigger AVC denials. But it happens frequently.

--Russell

Wayne.


--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux