On Fri, Mar 14, 2014 at 12:38:59PM -0400, Jan Lieskovsky wrote: > I am afraid there isn't a default policy that would suit every possible > use case Fedora OS can be used at. Yes, there's something like "common > understanding / agreement" which technologies can be considered safe at > current level of (security) knowledge (i.e. that certain cryptographic > algorithms should be preferred for usage before the others etc.) selinux doesn't suit every possible use case that Fedora supports either. But we still default to it being enabled with a targeted policy and provide no installer UI to let people change that. > But the current Fedora defaults approach has one limitation - even when > we set up the defaults reasonable enough, there is possibility users > can return back to the use of less secure ways (example how many users > are still using telnet or rsh today?) Well, yes. If you're deploying in an environment where you want to make it impossible for users to disable security features, you shouldn't be allowing those users to choose their own security policy. That's not an argument for putting it in the installer UI. > > If there isn't, how are we > > going to educate users as to which choice they should be making? > > We can do the following (three alternatives comes to mind): > * use sane defaults, allow the less secure ones (if I am not wrong > this is the current approach), Yes, a user can edit /etc/selinux/config to disable selinux. They can also modify the mmap_min_addr sysctl. But we don't offer those choices in the installer, because there's no way that most users are going to be able to make an informed decision about what these values should be set to or what the associated compromises are. > > *I* > > don't understand the terms used in the proposed UI, > > Can you be more concrete which term(s) you don't understand? Maybe you are > right and the concept needs to be better explained / presented differently > prior wider adoption [**]. What is a "Data stream"? What is a "Checklist"? How do I know which ones to pick? -- Matthew Garrett | mjg59@xxxxxxxxxxxxx -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
