On Tue, 2006-03-14 at 16:54 +0000, Andrew Haley wrote: > Stephen J. Smoogen writes: > > > > To be honest, we have found that the following people turn off SeLinux > > for the following reasons: > > > > 1) They were told that xyz would be fixed by turning off SeLinux. In > > most cases, they the problem with xyz was really a config issue that > > they then fix by hand, but will swear that turning off selinux somehow > > fixed things. It is similar to problems back in the Red Hat Linux 5.0 > > days where any problem with the system was fixed with a static > > compiled kernel or application. > > > > 2) They have installed some super nifty kernel module (panassas) or > > application that selinux (and 90% of the rest of the kernel) does not > > agree with. > > > > 3) They found a legitimate problem with selinux but did not have the > > tools to debug it or had the training needed to fix it. Cf. 7) below. > > 4) They turn it off because it is outside their experience or religous > > (Unix) convictions. > > 5) They don't want enhanced security. I suspect this is a sizable > number of people. Only very few people work for a bank ;) 6) They found SELinux (rsp. policy bugs) to prevent the OS from proper function. Fundamental design problem: SELinux policies are centralized and therefore not easy to customize. 7) They found the current SELinux tools to suffer from usability deficits. For example: Why aren't all selinux tools using a common program prefix? Finally, one fundamental problem, probably most users ask them themselves: Is coping with all the issues SELinux causes worth the effort, and does it really help the user? I guess, all Fedora users have been fighting with SELinux at some point in time, but probably nobody or at least very few have seen SELinux preventing damage from a system in real world installations. Ralf -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
