On Fri, 04 Apr 2008 17:17:43 -0400, Stewart Adam scripst: > I haven't extensively used SELinux in a long time so excuse me if this > already exists, but if we are to keep this enabled by default and want > it to be attractive to users I think we need to spend more time on tools > like setroubleshoot. Two problems I had when I played with SELinux a few > months ago was sharing content in /home via Samba, and /var/www/html via > Apache - Both of which are relatively trivial in Mac or Windows. Apache > +Windows less so, but at least it doesn't require the command line. OK, so this message sent me into overdrive mode (and sorry, if the tone of my reply will show it). This is really the example message of somebody who didn't get it or you had really bad day when you wrote it (yes, we all have such days). So, let me restate the situation if I understand it correctly -- you are administering a network of computers with a Linux server (you may be even paid to do it, who knows?) and you are not willing to type into Yahoo! (or Google, results are almost the same) "samba selinux home". And guess what is the first hit in the results? And if you take a look at http:// fedoraproject.org/wiki/SELinux/samba you may find out that actually this is web representation of manpage selinux_samba(8) (who would guess such name?) which is already present in your box. So, that's the one. Then we have this program called system-config-selinux (how unusal name for the system configuration program in Fedoraland, isn't it? Yes, it is new in Fedora 8, before that it had different name). And if you switch to "Booleans" table and write "samba" in the search box, what do you see? "Support SAMBA home directories" and many other samba related switches (I am not sure which way your sharing of /home directories goes, so I am not sure, which is the best for you). Hmm, isn't that interesting? OK, so you don't use Google, IRC (#fedora or #selinux channels on FreeNode), installed manapges, or many other methods how to get the information. So, what's your reaction? "SELinux is too complicated and it should be switched off by default!". No, sir, if you want to screw up security of computers you manage, YOU should switch off security features present there, so that YOU are responsible for the consequences. Otherwise, we would have hords of people with hijacked and broken-into boxes screaming here how Fedora is broken, because it doesn't protect their computer against known security threats. </mode type="aggressive"> (I haven't understood what's your problem with Apache, so I cannot comment on that.) You don't have to know that your other idea (red button "Just allow it!") is really not a great idea either. On the one hand you have Internet full of testimonies of people who hate Windows Vista for torturing them with dialog boxes "Can I do it? [Yes] [No]". On the other hand, if you are interested, read this http://www.cs.auckland.ac.nz/~pgut001/pubs/ phishing.pdf -- it is a good read. Good luck with your administering! Matěj -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
