Re: F34 Change proposal: Remove support for SELinux runtime disable (System-Wide Change)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Sep 10, 2020 at 7:33 AM Richard Hughes <hughsient@xxxxxxxxx> wrote:
>
> On Thu, 10 Sep 2020 at 10:17, Tom Hughes <tom@xxxxxxxxxx> wrote:
> > > Speaking from personal experience, I've wasted days over the last
> > > decade trying to debug a locally installed system service that was not
> > > working where there were no messages in any of the logs (e.g. no AVCs)
> > > -- and turning off selinux at runtime magically fixed the problem.
> >
> > Some selinux rules are marked to not generate AVCs...
>
> Why!? There's sometimes no log output anywhere obvious that a syscall
> or something was blocked. It's the reason I turn off selinux on my
> work development machine, and I've often wasted *hours* of my life on
> code "doing something impossible" over the last decade until a neuron
> at the back of my brain remembers "you've not yet turned off selinux"
> and then when I "sudo setenforce 0" it works, and I can't actually
> file a bug as there's no indication of what selinux actually blocked
> or why.
>

Because Red Hat customers put the SELinux policy developers into
no-win situations: they complain about AVC denials that don't actually
significantly break anything in *their* app and often just disable
SELinux in those scenarios. Red Hat wants customers to use it and not
freak out all the time, so these kinds of things get added because it
is very hard to come up with the right rules for all cases and there's
not enough time to work on that.

(I know for a fact that more than a few dontaudit rules were the
result of those kinds of conversations, because I witnessed them)




--
真実はいつも一つ!/ Always, there's only one truth!
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux