SELinux removed from desktop cd spin?

Andrew Farris lordmorgul at gmail.com
Wed Jan 16 22:34:44 UTC 2008


Valent Turkovic wrote:
> On Jan 16, 2008 10:00 PM, Alan Cox <alan at redhat.com> wrote:
>> On Wed, Jan 16, 2008 at 08:57:56PM +0100, Valent Turkovic wrote:
>>> I believe that SELinux is a great linux server security hardening tool
>>> but that has little use in desktop linux usage and it confuses
>>> ordinary desktop users.
>> Desktop users are the people it is most important for.  If it is still confusing
>> people we need to fix the confusions. Perhaps you can explain more ?
> 
> AVC denials that SELinux Troubleshoot Tool pops up really scare me :)
> There is half of screen of text and I can't figure out anything
> important form that. I see no information of value to me as a desktop
> user. I don't know is my laptop about to blow up or is it some minor
> error I can safely ignore.
> 
> I have about 20 AVC denial messages in SE Tool right now... the all
> make zero sense to me. I just got one from NetworkManager after my
> laptop returned from sleep... and I see a bunch of them regarding
> VirtualBox temporary files... etc... etc...

That tool should not be running for users who do not understand it.  The typical 
user (assuming the policy is *correct* and no longer buggy, future use case) 
does not need to care about avc denials, they do not need to know about them. 
The typical user will happily go along doing what they want to do, and having 
selinux protecting their machine from doing things it should not.  (obviously 
due to buggy policy and the ever changing needs of various packages this is not 
a stable condition yet!)

If selinux troubleshoot scares you, turn it off, its for development and 
debugging.  A user should not need to know when denials happen, unless they are 
1) helping to debug policy, or 2) looking for security breaches.

-- 
Andrew Farris <lordmorgul at gmail.com> <ajfarris at gmail.com>
  gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----                                                                       ----




More information about the fedora-devel-list mailing list