On Fri, 2008-04-04 at 19:18 +0200, Mark wrote: > 2008/4/3, Arthur Pemberton <pemboa@xxxxxxxxx>: > > To stay on your light bulb. > It might not be the best thing to show down the light bulb like > Mr.Bean does in one of his videos so having the light bulb BUT turning > it off by default is better for the environment :) only turn it on > when you need the light. > > and for that fedora needs to change the current state of that light > bulb from on to off by default > +1 I don't use SELinux and I understand that some people like it and do need/use it, however keeping it enabled by default causes a whole lot of problems from the end-user point of view and I think we need the right tools to fix these things. I haven't extensively used SELinux in a long time so excuse me if this already exists, but if we are to keep this enabled by default and want it to be attractive to users I think we need to spend more time on tools like setroubleshoot. Two problems I had when I played with SELinux a few months ago was sharing content in /home via Samba, and /var/www/html via Apache - Both of which are relatively trivial in Mac or Windows. Apache +Windows less so, but at least it doesn't require the command line. Setroubleshoot was a great help since I could just copy+paste the command it gave me and then things worked a little better (until I hit the next slew of audit errors). Printing out the error messages and giving a error description + command to fix the error is great (huge improvement since I last tried SELinux in FC2) but I think we need a user-oriented tool that simply recognizes: SELinux is blocking Samba. Click here to allow. <click>. done. The idea is actually pretty similar to how Firestarter detects blocked packets and you can right-click an event and to choose allow host, allow service, block host, block service. Another idea would be to implement a daemon that reports audit messages to a central database where we could collect and review the cause. That way we could pick up the common ones and get them solved or put why it's being blocked by default into a FAQ. Of course, that daemon doesn't have to be enabled by default, but it would be very useful among testers imho, Stewart -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list