On Wed, 2008-07-02 at 16:58 -0400, Colin Walters wrote: > I don't think we can go too far in cutting out the crap from the > install process for desktops. Like I said, I like the sentiment ;) > If our defaults are broken, we should acknowledge that as a bug > instead of foisting the choice onto our users. Ok, so... > Yes, I think what you should be arguing is that it should be > permissive or disabled by default. Ok then let me just say it. I think the default should be permissive or disabled by default. I was hoping to not have to say that - but I think it's a lot safer on the mass userbase of Fedora than thrusting a fully enforcing SELinux policy set upon them. If I'm having to hack on the policy files on my laptop, there's no hope for a desktop user. > I'm not sure I would agree with that argument personally given that I > see little hope for any other extended security system (e.g. AppArmor > is architecturally broken). Oh, see this is why I didn't want to just say "let's turn it off by default", because people read it as an attack on SELinux itself. But it doesn't have to be like that. SELinux is well designed (App Armor is basically crackrock in my personal opinion) but it's extremely complicated in terms of the policy that exists. It's also not for everyone, in my opinion. I think that SELinux makes great sense on a server running a timesharing environment, far less on a desktop. > There are plenty of other possible choices besides just enabling by > default or disabling: > > o Default rawhide installs to permissive And yet the issues I've had have all been on F9, stock. > o Create a system that automatically sends denials back to Fedora and > treat them like crashes There's still a lead time of days, or weeks. Dan is *very* good (I'm being careful here to explicitly say I'm not attacking the folks behind the policy - he updated the policy within a day of e.g. the VPNC issue) but the whole thing is still very reactionary to problem reports. If a user tries to do some of the things I tried, and they fail, they'll just give up on trying, and think that it's all a waste of time. > o Tune down the default policy to move more things back into > unconfined_t, and focus more strongly on vulnerable network servers > like Samba, Apache etc. This absolutely the most essential thing to be doing. I've been arguing this for ever and ever. Personally, I think SELinux is a great tool on servers to protect network facing stuff...but there needs to be a middle ground on Desktops where people can just get stuff done. I haven't pushed this on fedora-devel - I didn't expect a warm response ;) > o Actually have a regression test suite for Fedora and run updates > through it Well, while we're at it, we really need to encourage more people to use bodhi and start voting (and thereby assigning karma), and knowing about updates (which should only ever contain essential fixes). But that's another whole bucket of worms for a different thread. Jon. > -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
