Andy Burns wrote:
OK, I'll wait until the udev/hotplug dependencies have been fixed first
Ok.
anything more that a "restorecon -R /" required?
A reboot should follow that.
Yes that can be a bother but it requires discussion you can post to
fedora-selinux list about it. Part of the development process of
ensuring that we dont end up with a broken release.
No problem, one reason I'm here is that I want to see FC5 in good
enough shape to upgrade a bunch of our FC3 servers, I have to admit
that I blow hot and cold on SELINUX, I know what it protects against
and like the idea, but it seems to do quite a lot of shooting at it's
own feet ...
You are shooting the messenger there. You knew what security is. It
provides restrictions and restrictions can impede flexibility. We kind
of work around that by using SELinux booleans. man booleans and look at
system-config-securitylevel for how to use it and then there are
problems with other developers changing file paths and stuff that break
SELinux policies since they are developed in a centralized way. Policies
have to be associated with the packages themselves and developer have to
fix policies along with development related changes they make. Making it
possible is part of the reference policy work that has gone into the
development tree now. We are getting there - one step at a time. Some
early adopter hassles are inevitable for any technology right from the
kernel to things like Xen and SELinux now but this wider exposure and
feedback combine with Fedora policy of staying close to upstream
benefits everybody using Linux and not just Fedora. You will have to
understand that users who dont even use SELinux have been benefited from
it due to the number of security issues the relevant developers found
and fixed while writing those policies. It helps in more than one way
for people who are completely unaware of its benefits and not even using
it. Eventually it will be transparent enough and provide additional
security by default which is what we are shooting for.
--
Rahul
Fedora Bug Triaging - http://fedoraproject.org/wiki/BugZappers
--
fedora-test-list mailing list
fedora-test-list@xxxxxxxxxx
To unsubscribe:
https://www.redhat.com/mailman/listinfo/fedora-test-list