Benjy Grogan wrote:
I'm in favor of SELinux. I've heard that when writing these policies
the developers have actually improved the applications themselves. They
realized that an application didn't really need this or that permission
and so they adjusted the code and wrote an even better policy. SELinux
seems to have some use in debugging software.
If people are afraid of SELinux I think what's need is more education on
it. more "layman" articles getting across a few of the "ideas" behind
SELinux.
The problem with SELinux is that anyone whose use of a computer involves
more than clicking on icons is pretty much forced to become an SELinux
guru. Simple things like "ping xxx >$HOME/ping.result" failing because
ping isn't allowed to write to user_home_t don't make people big fans
of SELinux. I fought with SELinux for quite a while, left it in
permissive mode, ran audit2allow on whatever complaints turned up, and
resolved to use enforcing mode if I could ever get through a week
without seeing more "AVC ... denied" complaints. Never made it.
Finally gave up, deleted the ACLs from the file systems, and added
"selinux=0" as a kernel parameter.
--
Bob Nichols Yes, "NOSPAM" is really part of my email address.
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
