[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Keeping SELinux on (was Attention: Proprietary video driver users (ATI, Nvidia, etc.))



Benjy Grogan wrote:
I'm in favor of SELinux. I've heard that when writing these policies the developers have actually improved the applications themselves. They realized that an application didn't really need this or that permission and so they adjusted the code and wrote an even better policy. SELinux seems to have some use in debugging software.

If people are afraid of SELinux I think what's need is more education on it. more "layman" articles getting across a few of the "ideas" behind SELinux.

The problem with SELinux is that anyone whose use of a computer involves more than clicking on icons is pretty much forced to become an SELinux
guru.  Simple things like "ping xxx >$HOME/ping.result" failing because
ping isn't allowed to write to user_home_t don't make people big fans
of SELinux.  I fought with SELinux for quite a while, left it in
permissive mode, ran audit2allow on whatever complaints turned up, and
resolved to use enforcing mode if I could ever get through a week
without seeing more "AVC ... denied" complaints.  Never made it.
Finally gave up, deleted the ACLs from the file systems, and added
"selinux=0" as a kernel parameter.

--
Bob Nichols         Yes, "NOSPAM" is really part of my email address.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]