On Thu, 2008-07-17 at 18:46 -0500, Arthur Pemberton wrote: > On Thu, Jul 17, 2008 at 6:26 PM, Ahmed Kamal > <email.ahmedkamal@xxxxxxxxxxxxxx> wrote: > > I'd say I am a pretty knowledgeable Linux user. However, when I see an > > AVC denial, and the recommended chcon doesn't fix it, I'm pretty much > > lost! I need to launch that server or that application NOW, and > > selinux is stopping that ... and the policy won't be fixed for days, > > it won't even be fixed at all if that's a 3rd party app! I need > > something to help me launch my apps if I so choose! a 95% selinux > > protected system, is so much better than one with it disabled, which > > what I always seem to end up doing to get my work done! > > > > PS: To all security-aholics, helping the user launch his apps and get > > his work done, is every bit as important as having a well secured > > system, if not a tad bit more important > > While I understand your sentiments, I have problems empathizing with > it as I haven't had such a problem with SELinux since FC2. > > I do agree that having a user be able to launch an important > app/service should take precedence, though I am not sure that a 80% > SELinux protected machine is better than one with SELinux disabled -- > that's debatable I guess. Now how do we distinguish between a user launching his essential work to get done app, and a user being pwned. Both scenarios will look the same and if both scenarios end up in a dialog box with exempt in it, the guess what will happen. Dave. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
