On Wed, 2008-07-02 at 17:16 -0400, Jon Masters wrote: > On Wed, 2008-07-02 at 17:13 -0400, Alan Cox wrote: > > On Wed, Jul 02, 2008 at 04:37:48PM -0400, Jon Masters wrote: > > > I wasted about 6 hours on Sunday evening[0] figuring out why an SELinux > > > policy update in F9 had randomly stopped VPNC from working in a policy > > > update - that came following days of denials trying to do even simple > > > stuff. I can't possibly see how thrusting this default upon masses of > > > otherwise unsuspecting users is a good idea. I'm not saying SELinux > > > isn't a fantastic idea in certain cases, just not on "the desktop". > > > > The desktop is where it is most needed. > > Yes, in a perfect world in which policy and reality were so well aligned > that everything just worked, all of the time. > > > But here is a silly question - why are you using vpnc if you turn SELinux off, > > telnet would be faster too ? > > I didn't turn SELinux off. I'm forcing myself to use it in enforcing > mode, and I will continue to do so. But I think it's absolutely nuts to > expect the average Fedora desktop user to do so :) 1) you are not the average user, your experience is biased and your usage patterns are not standard 2) I use SELinux in enforcing mode since F8, I had almost no problems, I do development and all. I know what SELinux is and when to change to permissive. Moreover, given I am doing development and I am fiddling with non-standard stuff I expect to have randomly problems with SELinux (which is all about blocking non-standard behavior), so I just took my 2 hours self-teaching course on SELinux and know how to diagnose and change labels when needed. I even ventured into changing some policy for the packages I work on, although Dan Walsh is super in helping out with that stuff and learning how to write policies is not strictly needed. Take your time, learn what SELinux is and help back to make it better my providing changes relative to packages you own or you use most. This will be abetter use of your time. I wonder if windows developers had the same attitude toward NTFS ACLs when Microsoft started transitioning them from FAT ... I think us Linux devs can handle SELinux, conceptually and practically. Simo. -- Simo Sorce * Red Hat, Inc * New York -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
