On Thu, Jul 3, 2008 at 2:29 AM, Alan Cox <alan@xxxxxxxxxx> wrote: > On Wed, Jul 02, 2008 at 05:20:50PM -0400, Jon Masters wrote: >> I think the only way to "fix" it for the foreseeable future is to >> simplify policy, so that only a very limited set of services are >> confined. Then, when the graphical tools and user experience have >> eventually caught up, it'll be trivial to switch policy again. > > How will you know you have "fixed" it if you have the bits in question > turned off - you won't. You have no meaningful way to make progress. > > Sorry if I sound fed up of all of this but I spent 9 months fighting people > years back to get firewalling enabled by default, and that had all the same > arguments. Today nobody (even Microsoft) would propose otherwise. > Alan probably also remembers the same arguments being used for DAC security (I remember them from gnu.* and comp.unix*) from long ago. 15+ years ago there were lots of systems that had the root password in the motd because well DAC got in the way of getting stuff done that was normally done and you might as well have the root password if you wanted to 'fix' it. Several of these systems usually also had a short hand script that would setuid the program you wanted and setuid it back to the old permissions after you ran it. They also usually also had files with all the social security numbers, etc of every student etc.. The number of desktops and servers where I find firewalls turned off at install is still staggering. Most of them are the ones where they ran into some problem, googled and saw turn it off as the answer and did so. The number of desktops where the person runs everything as root is also amazing.. and boy do they now get ticked at that "You are running things at root" message. In the end, I don't see a fix.. people want things like their car. Turn the key, go, in the same way every car they ever liked driving has been. They hate it when they find the car has a governor to keep it from going 150+, ABS to change braking behaviour, airbags, front-wheel versus rear-wheel, transmission gearing changes, etc etc. They really don't care one-whit if any of those changes make them safer because they can't perceive it (and if any of those safety devices go 'wrong' are more adamant that it was a wrong idea in the first place, etc etc.) > This is the same thing .. > > As to Setroubleshoot it would be nicer if it spoke more "end user" ese and > could prompt/fix common mislabelling (eg html files) > > -- > fedora-devel-list mailing list > fedora-devel-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-devel-list > -- Stephen J Smoogen. -- BSD/GNU/Linux How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice" -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
