Re: No more selinux-policy-*-sources

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2006-03-14 at 16:54 +0000, Andrew Haley wrote:
> Stephen J. Smoogen writes:
>  > 
>  > To be honest, we have found that the following people turn off SeLinux
>  > for the following reasons:
>  > 
>  > 1) They were told that xyz would be fixed by turning off SeLinux. In
>  > most cases, they the problem with xyz was really a config issue that
>  > they then fix by hand, but will swear that turning off selinux somehow
>  > fixed things. It is similar to problems back in the Red Hat Linux 5.0
>  > days where any problem with the system was fixed with a static
>  > compiled kernel or application.
>  > 
>  > 2) They have installed some super nifty kernel module (panassas) or
>  > application that selinux (and 90% of the rest of the kernel) does not
>  > agree with.
>  > 
>  > 3) They found a legitimate problem with selinux but did not have the
>  > tools to debug it or had the training needed to fix it.
Cf. 7) below.

>  > 4) They turn it off because it is outside their experience or religous
>  > (Unix) convictions.
>
> 5) They don't want enhanced security.  I suspect this is a sizable
>    number of people.
Only very few people work for a bank ;)


6) They found SELinux (rsp. policy bugs) to prevent the OS from proper
function. 

Fundamental design problem: SELinux policies are centralized and
therefore not easy to customize.

7) They found the current SELinux tools to suffer from usability
deficits. For example: Why aren't all selinux tools using a common
program prefix?

Finally, one fundamental problem, probably most users ask them
themselves: Is coping with all the issues SELinux causes worth the
effort, and does it really help the user? 

I guess, all Fedora users have been fighting with SELinux at some point
in time, but probably nobody or at least very few have seen SELinux
preventing damage from a system in real world installations.

Ralf


-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux