-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Mark wrote: > Hey, > > I just installed the Fedora 9 Beta release and am doing a full system > update as we speak. > While downloading the updates nothing is wrong.. it just downloads and > that's it. But when installing the updates i get a ton of selinux > notices!! and this is just a default Fedora 9 beta followed by a yum > -y update. > > Also another issue that i noticed was when looking at a flash > animation in firefox.. when i want to play the animation selinux > (again) drops in and tells me i can't. (or i need to run a command to > get it working). > > Now i've tried to run selinux on Fedora 7 and 8 for as long as > possible just to see how long i can get around it.. i did some > commands in that time as well but i always end up with disabling > selinux. > > I have no idea how other users are using fedora in a normal every day > usage without disabling selinux.. i agree that a firewall should be in > linux but selinux just doesn't seem mature yet (if it will ever be). > Perhaps it's time to start considering to turn off selinux and remove > it out of the fedora kernel completely? As long as it's blaming here > when i install updates or simply browse the web than selinux gets shut > down completely! > > So.. how are you doing this? > > > Btw.. justging from the selinux stats here: > http://smolts.org/static/stats/stats.html it says that nearly 50% > (48.4%) is turning off selinux. And my guess is that all fedora > servers keep it on making up the other 50%. > The AVC messages you are probably seeing is SELinux attempting to confine firefox/nsplugins. Although you did not submit them. During the Beta I have been turning on a transition boolean for nsplugin. This transition is from unconfined_t to nsplugin_t. The attempt here is to confine random code like flashplugin/acrobat and other closed source programs that read random data from the internet from attacking your machine. I have to turn it on by default in Rawhide/Beta to find out what problems it causes. I will probably turn it off when we release, to prevent it causing problems, for people like you. I write about the change in danwalsh.livejournal.com/15700.html This is a potential real security gain from this, but we need to experiment to figure out how we can benefit the greatest number of users. I agree we need to tread lightly when adding new SELinux confinement, to the users but we still have an ability that could really advance computer security. allow_execmod, allow_execstack, allow_execheap, allow_execmod have caused many avc's to be seen by users, but they also can prevent buffer overflow attacks. Sadly badly coded applications have caused us to turn a lot of these checks off by default. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkf3XKYACgkQrlYvE4MpobNo9QCg2QrrCMTnlu2t7tjv+Eefaf5w foEAoKjX9c3UmowjVAsuCf5hZe4LmXA+ =PcR3 -----END PGP SIGNATURE----- -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
