Mark wrote:
2008/4/1, Andrew Farris <lordmorgul@xxxxxxxxx>:
Mark wrote:
> Hey,
>
> I just installed the Fedora 9 Beta release and am doing a full system
> update as we speak.
> While downloading the updates nothing is wrong.. it just downloads and
> that's it. But when installing the updates i get a ton of selinux
> notices!! and this is just a default Fedora 9 beta followed by a yum
> -y update.
A few suggestions... first, this is beta software, so naturally the fresh beta
install is going to have some issues. Why wouldn't you expect that it is
possible selinux wouldn't play quietly in its corner right after you install...
yet you probably wouldn't think twice about a few little issues with gdm or
nautilus?
I wouldn't find it strange to see bugs in nautilus/gdm/any other than
selinux strange. Selinux is just: Annoying, frustrating, irritating
and asking to be disabled. My selinux history tells me that this isn't
a bug.. it's just selinux.
An assumption that is dangerous. I understand prior bad selinux issues can
leave you feeling that way, but consider how similar it is to just 'click ok for
everything' in Windows? Yes.. prior experience would tell you its something you
have to do for it to work, but its also exploited by malicious code. Assuming
every selinux audit is a bug or just selinux being annoying is a terrible mindset.
Now suggestions.
- To keep selinux running nicely on your desktop you need to relabel or
restorecon your files frequently, especially after any updates are done. If you
update selinux-policy or your kernel, immediately do 'touch /.autorelabel' and
then reboot... when you don't you're tempting selinux to annoy you with denials
(expected behavior).
- Use tmpfs for /tmp. This one suggestion from Dan Walsh has been very helpful
for my systems. Just add the following line to your /etc/fstab:
tmpfs /tmp tmpfs defaults 0 0
then do:
rm -Rf /tmp/*; reboot
Then remember that files in tmp are supposed to be temporary and don't save
large downloads, misc files, etc, in tmp... they will disappear at reboot, and
tmp is only 512Mb with tmpfs defaults.
First: it requires a reboot which should not be the case for ANY linux
based program unless it has a good reason. Windows == reboots afer
every update. Don't follow that path on linux!
Actually, any kernel update requires a reboot unless you're pulling monkey
tricks (yes, it can 'kinda' be done without rebooting, but not with Fedora
kernel updates). Any time you update selinux policy you can get away without
rebooting, just restoring contexts instead, but its much simpler... and less
error prone, to do it while nothing is being used (i.e. before you really get
the system booted). Its not necessary, its 'best practice' for effectively
testing and using selinux in its development state. So don't reboot if you
don't feel like it; I will.
Second: it requires me to INVESTIGATE the issues, find solutions and
fix it. Sorry to tell but that's not my job nor am i willing to do it
and it requires a lot of time to fix issues that should not even
exist.
So, you'd rather just have a less secure system you can ignore? Ok.
Third: The tmpfs thing might be handy but i would just like to run the
OS in it's default stuff. If i need to edit things like that then
there is something wrong with Fedora.
I agree; Fedora should ship with tmpfs configured, but its not my call. I'm
just trying to help you.
- Run selinux-policy-targeted (the default, so don't change it) and then learn a
little bit about what denials mean, why they happen, and report those that you
cannot figure out. Use setroubleshoot and sealert. I've got lots of denials in
my audit database right now (actually 30+ of them are new today, for various
stuff I've been testing)... but not one of them has stopped me from 'doing real
work' on the system.
Again require me to do some work to get things fixed which should not
even be broken in the first place.
Beta.
I simply don't get why such a idiotic system has to be in fedora...
Fedora is about user friendly distributions right? this one isn't user
friendly at all. Till now i've always disabled selinux as soon as the
first boot was completed.
Well, its clear you don't understand it, which is ok, but debating its purpose
or implementation is not a reasonable use of time. You may continue to disable
SELinux... I'll continue to do everything I can to help the developers improve
it because I value what it provides.
Also a note about the selinux stats in the smolt database. When you
install fedora selinux is (sadly) enabled by default. And on the first
boot you get the smolt system specs sending stuff.. at that point
(atleast in F9 beta) there was NO option to turn off selinux so the
stats will therefore always indicate a higher selinux usage than is
actually the case. i turned it off right after those smolt things
where send but i'm in the smolt db now with selinux enabled!
Every update smolt does will fix that, showing it turned off on the machine.
Don't be overly dramatic, noone really cares whether the smolt stats are
slightly padded or not: its nothing more than 'close to reasonably accurate',
and it won't determine whether SELinux continues to be developed or whether
Fedora backs it.
--
Andrew Farris <lordmorgul@xxxxxxxxx> www.lordmorgul.net
gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB 5BD5 5F89 8E1B 8300 BF29
revoked key 0xC99B1DF3 no longer used
No one now has, and no one will ever again get, the big picture. - Daniel Geer
---- ----
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
