[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Keeping SELinux on (was Attention: Proprietary video driver users (ATI, Nvidia, etc.))



On Thursday 23 February 2006 07:34am, Jeff Spaleta wrote:
> On 2/23/06, Rudolf Kastl <che666 gmail com> wrote:
> > thats definitely a worst case scenario ;)
>
> And sadly the most likely one, until there are some end-user oriented
> notifications from the system which explain what is going on and why,
> when an selinux related denial happens.  Having to keep a running tail
> of /var/log/messages open and learning how to decipher the avc
> messages while using vendor installers is a hurdle an order of
> magnitude too large for normal home users who don't understand the
> underlying issues.  And sadly, reaching out to other users tends to
> get you blanket "turn off" selinux answers.  There is a steep learning
> curve associated with selinux denials, and unless the fedora system
> makes an attempt to point users to granular tools as the denials occur
> the re-education effort is going to be hamstrung.

By no means is this limited to home users.  I would say that the *vast* 
majority of corporate admins just turn off SELinux.  The story behind how & 
why they learned to do that to begin with only vary in details.  It's almost 
always, "I had problems installing X or doing Y and I found a document on the 
Internet that said that SELinux was in the way and didn't work right anyway 
and was too complicated and didn't do me any good and that I couldn't learn 
enough about it to even understand what was happening, let alone deal with 
it, in less than a month and ... well, so I just turn off SELinux and then I 
don't have to deal with it."

I teach Linux for a living.  I teach Red Hat's courses and hear this story in 
almost every class taught.  Students even ask me if they'll have to do 
SELinux in the RHCT/RHCE exams, and then cringe in anticipation that I'll 
reply, "Yes.".  Of course, the only answer I can give is "I don't know; if 
it's in the book it could be on the exam." ;)

You're right, there needs to be a buffer that makes SELinux troubleshooting 
and education less intimidating if we want end-users to keep SELinux enabled.  
I tell students in my classes that SELinux *is* intimidating and that they 
are not going to learn enough about it to write their own policy.  But that 
they will learn enough to understand why SELinux is important and valuable 
and to be able to identify and fix the most common problems (missing labels, 
booleans that need flipping, etc.) so that they can keep their SELinux 
enabled systems running smoothly and that it's not as hard as they think.

I also think that application developers need to think about SELinux when 
writing code.  If they also helped (that's "helped", not "did all the work") 
in producing policy for their own app(s), it just might not "get in the way".

This might be a pipe dream today; but, I remain hopeful.
-- 
Lamont R. Peterson <lamont gurulabs com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
GPG Key fingerprint: F98C E31A 5C4C 834A BCAB  8CB3 F980 6C97 DC0D D409

Attachment: pgp8RyVWmE1na.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]