[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Fedora (again) forces me to disable SELinux



Mark wrote:
2008/4/1, Andrew Farris <lordmorgul gmail com>:
Beta.

Not beta! This is selinux related and is like this for years so don't
tell me it's because of "beta". Otherwise try out Fedora 8 final fully
updated to see for yourself. It's (again) just selinux.

You have to understand how much about selinux is a moving target because Fedora is a moving target; this is very much an issue of 'beta'. SELinux policy is not developed in a vacuum or indepedently. Its not just another application helping to secure the system along with your firewall; it must handle the oddball behavior of every constrained bit of code on the system. It can never be 'just selinux' because selinux is not that type of application/package (the fact that you can turn it off doesn't mean its 'separate').

There may never be a fully complete policy that can drop into a distribution and 'just work'. Fedora is a rapidly changing package space; the policy plays keep up, so yeah, its always a beta issue until the full release. It basically starts over as the totally new versions of software show up -- the more the software changes, the more the policy is deficient to work with it. The feature set of F9 has alot different from F8, with major code changes that effect the selinux policy... its not all auto generated (which btw is impossible because programs are deterministic but programmers are not, selinux constrains both how and 'why' accesses occur).

Having hundreds of denials as you try to update is NOT normal selinux behavior; that happens only when something is really broken. It also happens often when people try to run selinux here and there, trying to turn it on and get things going, having issues, and shutting it off again for weeks. Trust me I realize how that goes.. I've made a conscious effort to keep my systems (both stable and testing systems) running selinux enforcing since it showed up in Fedora. It takes alot of time but its dramatically improved and continues to improve!

I have run F8, and I ran it selinux enforcing for months. It really does get easier to work with the more you try, and especially the less your system packages are changing. But I'm also not saying that selinux is a finished product... sometimes it does cause problems, but I've seen legitimate audits as well (not that often, but when they become frequent we'll all be glad that selinux developers/testers did this work now and not starting then).

And that wall of text is just to say, you ran into a pretty bad little beta issue, it happens. :)

 > I simply don't get why such a idiotic system has to be in fedora...
 > Fedora is about user friendly distributions right? this one isn't user
 > friendly at all. Till now i've always disabled selinux as soon as the
 > first boot was completed.


Well, its clear you don't understand it, which is ok, but debating its purpose
 or implementation is not a reasonable use of time.  You may continue to disable
 SELinux... I'll continue to do everything I can to help the developers improve
 it because I value what it provides.

I'm interested in trying it out and having a secured linux machine but
not this way. Once it's illnesses are fixed (if that ever gets done)
and selinux only spits out warnings like every other firewall is doing
than i will probably use it by default as well. Just not now because
of the reasons i told a few times now.

I hope it gets there too, but again, the nature of the beast is that policy won't be perfect unless software stops changing, and we don't want that.

--
Andrew Farris <lordmorgul gmail com> www.lordmorgul.net
 gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB  5BD5 5F89 8E1B 8300 BF29
 revoked key 0xC99B1DF3 no longer used
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----                                                                       ----


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]