Keeping SELinux on (was Attention: Proprietary video driver users (ATI, Nvidia, etc.))
Benjy Grogan
benjy.grogan at gmail.com
Sat Feb 25 07:19:10 UTC 2006
On 2/24/06, Robert Nichols <rnicholsNOSPAM at comcast.net> wrote:
>
> Benjy Grogan wrote:
> > I'm in favor of SELinux. I've heard that when writing these policies
> > the developers have actually improved the applications themselves. They
> > realized that an application didn't really need this or that permission
> > and so they adjusted the code and wrote an even better policy. SELinux
> > seems to have some use in debugging software.
> >
> > If people are afraid of SELinux I think what's need is more education on
> > it. more "layman" articles getting across a few of the "ideas" behind
> > SELinux.
>
> The problem with SELinux is that anyone whose use of a computer involves
> more than clicking on icons is pretty much forced to become an SELinux
> guru. Simple things like "ping xxx >$HOME/ping.result" failing because
> ping isn't allowed to write to user_home_t don't make people big fans
> of SELinux. I fought with SELinux for quite a while, left it in
> permissive mode, ran audit2allow on whatever complaints turned up, and
> resolved to use enforcing mode if I could ever get through a week
> without seeing more "AVC ... denied" complaints. Never made it.
> Finally gave up, deleted the ACLs from the file systems, and added
> "selinux=0" as a kernel parameter.
>
Lots of work to be done. Security must be taken seriously. Higher-level
functionality will hopefully make SELinux easier to use in future. Can't
compromise on security. Powerful security must become mainstream.
Benjy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20060225/92bd41dc/attachment.htm>
More information about the fedora-devel-list
mailing list