SELINUX file contexts FUBARed in fresh install?

Rahul Sundaram sundaram at redhat.com
Sun Jan 22 17:25:29 UTC 2006 

Andy Burns wrote:

>
> OK, I'll wait until the udev/hotplug dependencies have been fixed first

Ok.

>
> anything more that a "restorecon -R /" required?

A reboot should follow that.

>> Yes that can be a bother but it requires discussion you can post to 
>> fedora-selinux list about it. Part of the development process of 
>> ensuring that we dont end up with a broken release.
>
> No problem, one reason I'm here is that I want to see FC5 in good 
> enough shape to upgrade a bunch of our FC3 servers, I have to admit 
> that I blow hot and cold on SELINUX, I know what it protects against 
> and like the idea, but it seems to do quite a lot of shooting at it's 
> own feet ...

You are shooting the messenger there. You knew what security is. It 
provides restrictions and restrictions can impede flexibility. We kind 
of work around that by using SELinux booleans. man booleans and look at 
system-config-securitylevel for how to use it and then there are 
problems with other developers changing file paths and stuff that break 
SELinux policies since they are developed in a centralized way. Policies 
have to be associated with the packages themselves and developer have to 
fix policies along with development related changes they make. Making it 
possible is part of the reference policy work that has gone into the 
development tree now. We are getting there - one step at a time. Some 
early adopter hassles are inevitable for any technology right from the 
kernel to things like Xen and SELinux now but this wider exposure and 
feedback combine with Fedora policy of staying close to upstream 
benefits everybody using Linux and not just Fedora. You will have to 
understand that users who dont even use SELinux have been benefited from 
it due to the number of security issues the relevant developers found 
and fixed while writing those policies. It helps in more than one way 
for people who are completely unaware of its benefits and not even using 
it. Eventually it will be transparent enough and provide additional 
security by default which is what we are shooting for.

-- 
Rahul 

Fedora Bug Triaging - http://fedoraproject.org/wiki/BugZappers

More information about the fedora-test-list mailing list