Attention: Proprietary video driver users (ATI, Nvidia, etc.)

Bruno Wolff III bruno at wolff.to
Fri Feb 24 16:16:50 UTC 2006 

On Fri, Feb 24, 2006 at 10:25:00 -0500,
  "Mike A. Harris" <mharris at mharris.ca> wrote:
> 
> 2) Would make people get upset at SElinux and probably disable it if
> they don't already.

I admit I did that for FC3, but I really like targetted for FC4.
I had a couple issues with httpd where I had some stuff outside the
/var/www/html tree that needed to marked with the correct context and
a few perl scripts that needed more access (mostly acces to postgres and
one talks to a remote host) that I made unconstrained (though I am trying
to learn enough to tighten them back up).

I really want to try out strict. I think I know enough now to be able to
work through problems and I don't like programs having network access
by default. This includes some CD players supplied by fedora that
are configured to do remote lookups by default. I also don't trust
game software provided by commercial vendors. When I upgrade to FC5 I am
going to at least try it out.

> Everyone is given an OS to install and use, and with that freedom
> comes responsibility.  You're given the rope to hang yourself with
> in thousands of places in Linux and Linux-like OSs.  It is entirely
> the responsibility of the system administrator, or user responsible
> for the computer system to ensure that they are installing software
> wisely.

Currently that is a real pain to do, depending on how much trust you give
to various vendors. Ideally you would like a separate environment for
each different source of software that you want to install. So that when you
do installs, the install scripts can't do some things (phone home, install
DRM, etc.). You can kind of do that now by creating a separate account
for each source and setting up necessary directories with appropiate ownership
before doing the install.

While I did something like this for neverwinter nights, so I could restrict its
network access by user in my packet filter, this gets tiring after a while.
SELinux isn't going to solve this problem either, but I might be able to
have it block some bad behavior for me without spending as much effort.

More information about the fedora-devel-list mailing list