Re: first encounters with SELINUX, with some suggestions

[Jeff Johnson <n3npq nc rr com>]

Thomas Vander Stichele wrote:

> Hi,
>
>  
>
> > > - A lot of developers I know, including a bunch at Red Hat, *turn off
> > > SELINUX entirely*.  IMO, something that gets pushed at heavily as this
> > > should be dogfooded by the development team at Red Hat completely, so
> > > they encounter firsthand what it means and how to fix basic issues.
> > >      
> > FWIW I have three machines here, of which two have SELinux always on in
> > enforcing mode, and the third sometimes on (dogfooding Rawhide here, so
> > sometimes things break...).  They're all using the targeted policy.
> >    
>
> Oh, I'm sure there are developers dogfooding it.  My point is that *all*
> of the Red Hat developers should be dogfooding it if you think SELINUX
> should be the default (which I assume is being thought since it's the
> default in anaconda).
>  

Why *all* so vehemently? There are devel issues other than selinux that 
occaisionally
crop up, and there is still a need to develop software that is (not yet 
anyways ;-) infected
with selinux.

FWIW, I've been dogfooding SE Linux for over a year without serious 
discomfort.

Sure there have been surprises. E.g. certain problems caused fsck to 
spew messages
that I dinna not even existed. On the whole, "targeted" selinux is 
pretty close to drop in
these days imho.

OTOH, I fully understand your out-of-box introduction to selinux trying 
to run mach.
That is a very hard environment, and there has been no serious attempt 
yet (afaik)
to attempt to write policy for a build system. That too is a rather hard 
problem requiring
different policy decisions than what is in "targeted".

Perhaps *you* should have started dog-fooding selinux sooner. It's not 
exactly like
the SELinux clouds have not been gathering for quite some time.

73 de Jeff