[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: first encounters with SELINUX, with some suggestions



Thomas Vander Stichele wrote:

Hi,



- A lot of developers I know, including a bunch at Red Hat, *turn off
SELINUX entirely*. IMO, something that gets pushed at heavily as this
should be dogfooded by the development team at Red Hat completely, so
they encounter firsthand what it means and how to fix basic issues.


FWIW I have three machines here, of which two have SELinux always on in
enforcing mode, and the third sometimes on (dogfooding Rawhide here, so
sometimes things break...). They're all using the targeted policy.



Oh, I'm sure there are developers dogfooding it. My point is that *all* of the Red Hat developers should be dogfooding it if you think SELINUX should be the default (which I assume is being thought since it's the default in anaconda).



All RH developers do not work on FC3. (A Lot run on RHEL 3 and AS 2.1). SELinux with strict policy was very difficult to develop on so a lot of developers turned it
off, now that it is targeted policy, they are using it more and more. Most of the problems
we are seeing now are with different Apache setups, which most developers would not
have discovered on the desktop.


My sample of developers was not correctly chosen if I wanted half of
them to run it.  But I think *all* of them should run it, and they
should come to you or Karsten or Colin when they run into stuff they
can't figure it out, so that it becomes impossible for me to find even
one RH developer that doesn't know basic stuff about SELINUX.

For any other subsystem I would say this ideal was utopian; for
something that's this impacting on end users I'd say it's a necessity.
But, of course, just my POV :)

Thomas


Dave/Dina : future TV today ! - http://www.davedina.org/ <-*- thomas (dot) apestaart (dot) org -*-> If you don't ask me out to dinner I don't eat <-*- thomas (at) apestaart (dot) org -*-> URGent, best radio on the net - 24/7 ! - http://urgent.fm/







[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]