Re: SELinux - a call for end-of-life.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Sep 01, 2010 at 12:35:14 +0000,
  JB <jb.1234abcd@xxxxxxxxx> wrote:
> 
> The "Relabel on next reboot" is a major design flaw.
>   "Select if you wish to relabel then entire file system on next
>   reboot. Relabeling can take a very long time, depending
>   on the size of the system. If you are changing policy types
>   or going from disabled to enforcing, a relabel is required."

If you don't disable selinux, then it is rare to need to do a relabel and
reboot. Normally updates relabel any needed files. You can also relabel
the whole without rebooting, though if context for services change, you'd
need to restart those services and enforcing mode may prevent relabelling
of some files.

> The future is to do away with system restarts:
> - due to kernel update (this is almost done with e.g. kexec in Linux)
> - due to other system or application software updates
> - due to SELinux-like system "relabeling"
> - any other updates

Rebooting is generally the easiest way to make sure running processes are
using the latest versions of things. You can try to restart services one
by one if you don't want to reboot, but that can be error prone and may
take longer than just doing a reboot.

> - it has to be simple to be acceptable and understandable by all sys admins and

Selinux is fundamentally simple. When a process acts on an object, the label
of the process, the label of the object and the action are checked in a
table and either allowed or denied (with optional logging).

> - it should show various diagnostics (alarms) in real-time, but never interfere
>   with or prevent a program from execution.

That doesn't sound too useful, but you can run selinux in permissive mode
if you just want to see warnings about potentially bad stuff.
-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines

[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux