Request to re-add option to disable SELinux

[Ahmed Kamal]

Why don't we have a compromise policy, where interactive users are not
restricted except their browsers? System daemons would be restricted of
course.
Another suggestion, is when something breaks because of selinux, and I get a
balloon about it. However, I am unable to modify selinux policy to
"correctly" fix that problem. The suggestion is to allow the user a
mechanism to launch the affected program in selinux-free mode ( like launch
as administrator from the Vista world!). Basically, selinux builds very
tight walls around the system, the end user, needs a hammer to break some of
these walls to get his work done. If we don't provide the hammer, he'll end
up turnning it off completely!

On Thu, Jul 3, 2008 at 11:29 AM, Alan Cox <alan at redhat.com> wrote:

> On Wed, Jul 02, 2008 at 05:20:50PM -0400, Jon Masters wrote:
> > I think the only way to "fix" it for the foreseeable future is to
> > simplify policy, so that only a very limited set of services are
> > confined. Then, when the graphical tools and user experience have
> > eventually caught up, it'll be trivial to switch policy again.
>
> How will you know you have "fixed" it if you have the bits in question
> turned off - you won't. You have no meaningful way to make progress.
>
> Sorry if I sound fed up of all of this but I spent 9 months fighting people
> years back to get firewalling enabled by default, and that had all the same
> arguments. Today nobody (even Microsoft) would propose otherwise.
>
> This is the same thing ..
>
> As to Setroubleshoot it would be nicer if it spoke more "end user" ese and
> could prompt/fix common mislabelling (eg html files)
>
> --
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20080703/9c18ed75/attachment.htm>