Florian La Roche wrote: >>I equate SELinux to the point when personal firewalls were first being >>introduced to each computer, everyone at that point just turned them >>off. But eventually the technology got to the point where most people >>don't >>realize they have a firewall running on there system. > > > I start hearing from more and more people who now keep selinux > enabled on e.g. fc4 with all updates applied. > And getting developers who often change their system to have > selinux on is one of the bigger hurdles... we try and really try to use selinux on all of servers. but after a years we are think more and more it's un usable. although Daniel is one of the fastest and most gentle developer at rh and his response time is almost always in one day it's still not enough. even after about a year when rhel4 comes out we still regulary run audit2allow -l -i /var/log/audit/audit.log and still find rules which should have to apply in order to avoid problems. and these are not extra applications these are just those included in the rh release. on fedore the situation worse so we trun off selinux all on of our desktops. i hope when binary compiled policies can be used and application developer has to develop their own policies then the situation will be better, but now it's like a toy. but even then i do not realy belive such a rules like: allow named_t winbind_var_run_t:dir getattr; allow mysqld_t nscd_var_run_t:dir search; will be easily categorized to any package... these are just my experiences:-( -- Levente "Si vis pacem para bellum!" -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
