Request to re-add option to disable SELinux

Colin Walters walters at verbum.org
Wed Jul 2 20:58:58 UTC 2008 

On Wed, Jul 2, 2008 at 4:46 PM, Jon Masters <jonathan at jonmasters.org> wrote:

> On Wed, 2008-07-02 at 16:28 -0400, Colin Walters wrote:
>
> > Yeah, we're trying to make installing Fedora not be a Choose Your Own
> > Linux Adventure game.
>
> I agree (partially) with that sentiment. Though it can obviously go way
> too far with the aim of making life "easier" during a 10 minute install.
>

I don't think we can go too far in cutting out the crap from the install
process for desktops.  The target audience is (or should be) people who have
*more important things* to do with their time than play Build My Own Linux.
They hit "Next" on the partitioning screens, firewall, etc.

If our defaults are broken, we should acknowledge that as a bug instead of
foisting the choice onto our users.

> Either the SELinux policy works well enough that it is enabled by
> > default and supported, or it's not.
>
> If it were really black and white like that, then I'd have to argue for
> SELinux to be disabled by default on new Fedora installs and have users
> go into the system config dialog to turn it back on. After all, if
> you're going to use the following argument:
>

Yes, I think what you should be arguing is that it should be permissive or
disabled by default.

I'm not sure I would agree with that argument personally given that I see
little hope for any other extended security system (e.g. AppArmor is
architecturally broken).

There are plenty of other possible choices besides just enabling by default
or disabling:

o Default rawhide installs to permissive
o Create a system that automatically sends denials back to Fedora and treat
them like crashes
o Tune down the default policy to move more things back into unconfined_t,
and focus more strongly on vulnerable network servers like Samba, Apache
etc.
o Actually have a regression test suite for Fedora and run updates through
it

etc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20080702/afea1d02/attachment.htm>

More information about the fedora-devel-list mailing list