On 09/20/2011 03:10 PM, Alan Cox wrote:
> In some perhaps. The big cases it helps are desktop (mostly protecting
> against browser stuff) - where it usually just works, and web serving,
> where it's most definitely valuable but does mean reading the docs.
I always find it interesting when people say that, since the browser
actually runs unconfined**. There is a boolean that confines browser
plugins, but its default state is OFF, and quite a few things stop
working if you turn it on.
Even with all the nonstandard things I do with my system, I'm still able
to run with SELinux in enforcing mode quite nicely. Prior to about
Fedora 12, I couldn't do that. The tools to allow mere mortals to
analyze problems and make needed policy changes weren't up to the task,
and each new Fedora release made changes that forced you to throw out
much of what you had learned and work it all out again. That now
seems to be all in the past. My biggest problem these days is that I
have so little need to use the tools that I forget how.
** I'm running CentOS 6 on my primary machine. Perhaps things are
different in the latest Fedora release.
# ps -Z $(pgrep firefox)
LABEL PID TTY STAT TIME COMMAND
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 31756 ? Sl 2:26
/usr/lib64/firefox-3.6/firefox
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
