2008/4/5, Daniel J Walsh <dwalsh@xxxxxxxxxx>: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Mark wrote: > > Hey, > > > > I just installed the Fedora 9 Beta release and am doing a full system > > update as we speak. > > While downloading the updates nothing is wrong.. it just downloads and > > that's it. But when installing the updates i get a ton of selinux > > notices!! and this is just a default Fedora 9 beta followed by a yum > > -y update. > > > > Also another issue that i noticed was when looking at a flash > > animation in firefox.. when i want to play the animation selinux > > (again) drops in and tells me i can't. (or i need to run a command to > > get it working). > > > > Now i've tried to run selinux on Fedora 7 and 8 for as long as > > possible just to see how long i can get around it.. i did some > > commands in that time as well but i always end up with disabling > > selinux. > > > > I have no idea how other users are using fedora in a normal every day > > usage without disabling selinux.. i agree that a firewall should be in > > linux but selinux just doesn't seem mature yet (if it will ever be). > > Perhaps it's time to start considering to turn off selinux and remove > > it out of the fedora kernel completely? As long as it's blaming here > > when i install updates or simply browse the web than selinux gets shut > > down completely! > > > > So.. how are you doing this? > > > > > > Btw.. justging from the selinux stats here: > > http://smolts.org/static/stats/stats.html it says that nearly 50% > > (48.4%) is turning off selinux. And my guess is that all fedora > > servers keep it on making up the other 50%. > > > > The AVC messages you are probably seeing is SELinux attempting to > confine firefox/nsplugins. Although you did not submit them. > > During the Beta I have been turning on a transition boolean for > nsplugin. This transition is from unconfined_t to nsplugin_t. The > attempt here is to confine random code like flashplugin/acrobat and > other closed source programs that read random data from the internet > from attacking your machine. I have to turn it on by default in > Rawhide/Beta to find out what problems it causes. I will probably turn > it off when we release, to prevent it causing problems, for people like you. > > I write about the change in > > danwalsh.livejournal.com/15700.html > > This is a potential real security gain from this, but we need to > experiment to figure out how we can benefit the greatest number of users. > > I agree we need to tread lightly when adding new SELinux confinement, to > the users but we still have an ability that could really advance > computer security. > > allow_execmod, allow_execstack, allow_execheap, allow_execmod have > caused many avc's to be seen by users, but they also can prevent buffer > overflow attacks. Sadly badly coded applications have caused us to turn > a lot of these checks off by default. > hereby a promise from me to you and all of the fedora development team. Next time i install fedora (9 final or even 10 rawhide) then i will keep selinux on as long as possible on enforcing. Then i will collect all the issues i find and file them all here in this mailing list (no this thread). i won't make a bugzilla report for each warning! and a online selinux warning database where all the warning are send to would really be helpful here! But for now it stays off till i reinstall. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
