Ed Swierk wrote: > For me learning SELinux seems as pointless as trying to remember > iptables commands, or AFS trivia back when I was a student--all cause > me trouble just infrequently enough to ensure I have to relearn them > from scratch every time. If I were a full-time sysadmin of course it > would be a different story, but I really don't have the brain cycles > to remember anything more complicated than chmod and chown, and I > suspect a large number of accidental sysadmins feel the same. Selinux is (no argument) something that takes considerable time to start figuring out... but basically you have to start by realizing nothing is going to work right if the files aren't labeled as the policy expects them to be. This is precisely the same situation you have when file permissions are wrong and nothing will work until you fix them (selinux policy is really just a more complicated permissions system for who can use files and for what purpose). When you started out with unices the permissions system probably took time but it eventually sank in -- so will selinux unless you continue to ignore it. Just food for thought... I'm sure everyone knows it takes time, the question becomes 'is it important' and alot of people feel the answer is yes. As the policies improve selinux will become hardly more complicated for general use as chmod itself is... proper policy + proper label = just works. Obviously both of those need to be in place and are in progress; so disable it when you must now but if you just ignore it long term its to your detriment. Set it permissive at minimum and keep the denial log messages for additional security review if/when you really need it. And finally, the ability to disable it is in the distro precisely so that you can (so why the rant? you want to be forced to enable it instead? you feel everyone should install without it enabled by default forever and ever? you feel that selinux should disable itself when you get denials that prevent you doing what you want? uhm that won't do). -- Andrew Farris <lordmorgul@xxxxxxxxx> <ajfarris@xxxxxxxxx> gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3 No one now has, and no one will ever again get, the big picture. - Daniel Geer ---- ---- -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
