On Fri, Feb 24, 2006 at 10:25:00 -0500, "Mike A. Harris" <mharris@xxxxxxxxxx> wrote: > > 2) Would make people get upset at SElinux and probably disable it if > they don't already. I admit I did that for FC3, but I really like targetted for FC4. I had a couple issues with httpd where I had some stuff outside the /var/www/html tree that needed to marked with the correct context and a few perl scripts that needed more access (mostly acces to postgres and one talks to a remote host) that I made unconstrained (though I am trying to learn enough to tighten them back up). I really want to try out strict. I think I know enough now to be able to work through problems and I don't like programs having network access by default. This includes some CD players supplied by fedora that are configured to do remote lookups by default. I also don't trust game software provided by commercial vendors. When I upgrade to FC5 I am going to at least try it out. > Everyone is given an OS to install and use, and with that freedom > comes responsibility. You're given the rope to hang yourself with > in thousands of places in Linux and Linux-like OSs. It is entirely > the responsibility of the system administrator, or user responsible > for the computer system to ensure that they are installing software > wisely. Currently that is a real pain to do, depending on how much trust you give to various vendors. Ideally you would like a separate environment for each different source of software that you want to install. So that when you do installs, the install scripts can't do some things (phone home, install DRM, etc.). You can kind of do that now by creating a separate account for each source and setting up necessary directories with appropiate ownership before doing the install. While I did something like this for neverwinter nights, so I could restrict its network access by user in my packet filter, this gets tiring after a while. SELinux isn't going to solve this problem either, but I might be able to have it block some bad behavior for me without spending as much effort. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
