On Fri, 2015-01-16 at 16:31 -0800, Gordon Messmer wrote: > If your computer is single-user anyway, why does it need a security > subsystem? > *eyeroll* That actually isn't as crazy as you seem to think. Security should always be seen as tradeoff between the cost of the security vs the potential loss and the odds of a breech. Seen in that light simply disabling permissions could indeed be justified under some conditions. But there are some important differences between SELinux and the UNIX model, 1. You can teach a total newb (assuming IQ over room temp) the basics of the UNIX permissions system in under an hour and every admin is expected to know pretty much all details of it. Nobody understands SELinux beyond a few developers at RedHat and the NSA. Even after reading the O'Reilly book since it is already obsolete. Contrast to the UNIX model that hasn't changed in longer than the median age of the typical Linux user and has extensive documentation that is accurate. 2. The UNIX security model is integral to UNIX and Linux. SELinux exists almost entirely outside the normal filesystems and toolset. Normal tools rarely preserve SELInux attributes when taking backups or transferring files between machines. RPM only partially understands it after it being a standard feature for a decade. 3. Any machine configured even slightly differently than the RH devels expected -WILL- break SELinux. Or I have just been very very unlucky on multiple occasions. Unless one is, or has access to, one of the extremely limited number of SELinux experts the best solution is to simply disable it when it breaks. Doubly so if the machine in question isn't a server. 4. Consider the points above and realize SELinux has been a mandatory at install time feature on Fedora even longer than PulseAudio, and neither are even close to being reliable... yet were pushed into production and removal apparently isn't a topic for civilized discussion. At what point is it legitimate to question the wisdom of this?
Attachment:
signature.asc
Description: This is a digitally signed message part
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org