SELinux should be off by default in FC3

[Nathan Grennan]

On Thu, 2004-10-07 at 08:46 -0400, Stephen Smalley wrote:
> The mv command preserve protections by default, as expected.  A similar
> issue would arise if the original ownership and mode bits on the file
> prior to moving prevented access by apache, right?
> 

Security contexts are generally hidden, their are so many more, and are
a lot more complex. Owner/Group/Permissions/Umask are setup in such a
way that they generally not a problem, unlike security contexts.

> And they already have to deal with setting mode bits.  Running
> restorecon on the file as an extra step is just an education issue.
> 

I think this is asking too much, especially when the complexity level is
such that users won't generally be manually setting security context,
but letting the system figure out the correct context for them via
restorecon. That says to me it is more of a automation problem than it
is a education problem.

> Improved transparency is certainly a good thing, but you are imposing an
> unfair requirement on SELinux that does not exist for the existing DAC
> protections and total transparency would just mean no protection at
> all.  
> 

I think overall it what it comes down to is that SELinux micro-manages
security way too much. SELinux's level of security might be suitable in
some situations, but will be too much of a burden in most situations.