Re: Keeping SELinux on (was Attention: Proprietary video driver users (ATI, Nvidia, etc.))

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On 2/24/06, Robert Nichols <rnicholsNOSPAM@xxxxxxxxxxx> wrote:
Benjy Grogan wrote:
> I'm in favor of SELinux.  I've heard that when writing these policies
> the developers have actually improved the applications themselves.  They
> realized that an application didn't really need this or that permission
> and so they adjusted the code and wrote an even better policy.  SELinux
> seems to have some use in debugging software.
>
> If people are afraid of SELinux I think what's need is more education on
> it.  more "layman" articles getting across a few of the "ideas" behind
> SELinux.

The problem with SELinux is that anyone whose use of a computer involves
more than clicking on icons is pretty much forced to become an SELinux
guru.  Simple things like "ping xxx >$HOME/ping.result" failing because
ping isn't allowed to write to user_home_t don't make people big fans
of SELinux.  I fought with SELinux for quite a while, left it in
permissive mode, ran audit2allow on whatever complaints turned up, and
resolved to use enforcing mode if I could ever get through a week
without seeing more "AVC ... denied" complaints.  Never made it.
Finally gave up, deleted the ACLs from the file systems, and added
"selinux=0" as a kernel parameter.

Lots of work to be done.  Security must be taken seriously.  Higher-level functionality will hopefully make SELinux easier to use in future.  Can't compromise on security.  Powerful security must become mainstream.

Benjy
-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux