On Tue, Jul 22, 2008 at 6:37 PM, max bianco <maximilianbianco@xxxxxxxxx> wrote: > 2008/7/22 David Nielsen <gnomeuser@xxxxxxxxx>: >> >> Any suggested solution that starts with "open a terminal" scares users, > > I understand. However I don't think adding an allow/deny button is the > answer. I think the main problem is that most people don't understand > what SELinux does, or more accurately how it does things. > > >> additionally if they are required to be root in said terminal I would >> hestitate to guess that we lose everyone except a bare minimum of users when >> looking at the big picture - my mother surely should not be asked to do >> this, the mere thought of her with the root password in hand terrifies me >> add to that firing off random commands she has no idea what does - it's a >> wonder Hollywood has yet to make a blockbuster horror movie following this >> plot. > > It would make for a good movie:^) My mother uses Fedora and hasn't had > any issues that were SELinux related. Email, music, web surfing are > all she does. I doubt Aunt Tily is doing much more than that. > > >> In terms of what SELinux does currently, it's an improvement over the >> older releases but it's still far from being something I would let my mother >> ticker with - and the policy currently has plenty of holes in terms of what >> an average user might do, just the other day I discovered SELinux utter fail >> when plugging in my iPod (this was fixed within days of being filed and as I >> recall an update was pushed soon there after, so the response is generally >> good but that is still some 2 weeks where aunt tilly can't use her iPod). >> Should asking the user to drop to a terminal as root and issue commands >> really be our first line of defence.. I certainly hope not. We really need >> to be more proactive in gathering failures instead of relying on the user to >> patch up the policy with mysterious cli magic. > > I agree a better job needs to done but until F9 it was optional was it > not? Now you can turn it off but it is enabled by default, On by default does not mean not optional. And if you meant opt-out, it was opt-out, still is. [ snip ] -- Fedora 7 : sipping some of that moonshine ( www.pembo13.com ) -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
