Re: Request to re-add option to disable SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jul 3, 2008 at 2:29 AM, Alan Cox <alan@xxxxxxxxxx> wrote:
> On Wed, Jul 02, 2008 at 05:20:50PM -0400, Jon Masters wrote:
>> I think the only way to "fix" it for the foreseeable future is to
>> simplify policy, so that only a very limited set of services are
>> confined. Then, when the graphical tools and user experience have
>> eventually caught up, it'll be trivial to switch policy again.
>
> How will you know you have "fixed" it if you have the bits in question
> turned off - you won't. You have no meaningful way to make progress.
>
> Sorry if I sound fed up of all of this but I spent 9 months fighting people
> years back to get firewalling enabled by default, and that had all the same
> arguments. Today nobody (even Microsoft) would propose otherwise.
>

Alan probably also remembers the same arguments being used for DAC
security (I remember them from gnu.* and comp.unix*) from long ago.
15+ years ago there were lots of systems that had the root password in
the motd because well DAC got in the way of getting stuff done that
was normally done and you might as well have the root password if you
wanted to 'fix' it. Several of these systems usually also had a short
hand script that would setuid the program you wanted and setuid it
back to the old permissions after you ran it. They also usually also
had files with all the social security numbers, etc of every student
etc..

The number of desktops and servers where I find firewalls turned off
at install is still staggering. Most of them are the ones where they
ran into some problem, googled and saw turn it off as the answer and
did so. The number of desktops where the person runs everything as
root is also amazing.. and boy do they now get ticked at that "You are
running things at root" message.

In the end, I don't see a fix.. people want things like their car.
Turn the key, go, in the same way every car they ever liked driving
has been. They hate it when they find the car has a governor to keep
it from going 150+, ABS  to change braking behaviour, airbags,
front-wheel versus rear-wheel, transmission gearing changes, etc etc.
They really don't care one-whit if any of those changes make them
safer because they can't perceive it (and if any of those safety
devices go 'wrong' are more adamant that it was a wrong idea in the
first place, etc etc.)

> This is the same thing ..
>
> As to Setroubleshoot it would be nicer if it spoke more "end user" ese and
> could prompt/fix common mislabelling (eg html files)
>
> --
> fedora-devel-list mailing list
> fedora-devel-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>



-- 
Stephen J Smoogen. -- BSD/GNU/Linux
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"

-- 
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux