Mark wrote:
2008/4/1, Andrew Farris <lordmorgul@xxxxxxxxx>:
Beta.
Not beta! This is selinux related and is like this for years so don't
tell me it's because of "beta". Otherwise try out Fedora 8 final fully
updated to see for yourself. It's (again) just selinux.
You have to understand how much about selinux is a moving target because Fedora
is a moving target; this is very much an issue of 'beta'. SELinux policy is not
developed in a vacuum or indepedently. Its not just another application helping
to secure the system along with your firewall; it must handle the oddball
behavior of every constrained bit of code on the system. It can never be 'just
selinux' because selinux is not that type of application/package (the fact that
you can turn it off doesn't mean its 'separate').
There may never be a fully complete policy that can drop into a distribution and
'just work'. Fedora is a rapidly changing package space; the policy plays keep
up, so yeah, its always a beta issue until the full release. It basically
starts over as the totally new versions of software show up -- the more the
software changes, the more the policy is deficient to work with it. The feature
set of F9 has alot different from F8, with major code changes that effect the
selinux policy... its not all auto generated (which btw is impossible because
programs are deterministic but programmers are not, selinux constrains both how
and 'why' accesses occur).
Having hundreds of denials as you try to update is NOT normal selinux behavior;
that happens only when something is really broken. It also happens often when
people try to run selinux here and there, trying to turn it on and get things
going, having issues, and shutting it off again for weeks. Trust me I realize
how that goes.. I've made a conscious effort to keep my systems (both stable and
testing systems) running selinux enforcing since it showed up in Fedora. It
takes alot of time but its dramatically improved and continues to improve!
I have run F8, and I ran it selinux enforcing for months. It really does get
easier to work with the more you try, and especially the less your system
packages are changing. But I'm also not saying that selinux is a finished
product... sometimes it does cause problems, but I've seen legitimate audits as
well (not that often, but when they become frequent we'll all be glad that
selinux developers/testers did this work now and not starting then).
And that wall of text is just to say, you ran into a pretty bad little beta
issue, it happens. :)
> I simply don't get why such a idiotic system has to be in fedora...
> Fedora is about user friendly distributions right? this one isn't user
> friendly at all. Till now i've always disabled selinux as soon as the
> first boot was completed.
Well, its clear you don't understand it, which is ok, but debating its purpose
or implementation is not a reasonable use of time. You may continue to disable
SELinux... I'll continue to do everything I can to help the developers improve
it because I value what it provides.
I'm interested in trying it out and having a secured linux machine but
not this way. Once it's illnesses are fixed (if that ever gets done)
and selinux only spits out warnings like every other firewall is doing
than i will probably use it by default as well. Just not now because
of the reasons i told a few times now.
I hope it gets there too, but again, the nature of the beast is that policy
won't be perfect unless software stops changing, and we don't want that.
--
Andrew Farris <lordmorgul@xxxxxxxxx> www.lordmorgul.net
gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB 5BD5 5F89 8E1B 8300 BF29
revoked key 0xC99B1DF3 no longer used
No one now has, and no one will ever again get, the big picture. - Daniel Geer
---- ----
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
