Fedora (again) forces me to disable SELinux

Mark markg85 at gmail.com
Tue Apr 1 00:24:24 UTC 2008


2008/4/1, Jeff Spaleta <jspaleta at gmail.com>:
>
>
> On Mon, Mar 31, 2008 at 3:20 PM, Mark <markg85 at gmail.com> wrote:
> > Hey,
> >
> > I just installed the Fedora 9 Beta release and am doing a full system
> > update as we speak.
> > While downloading the updates nothing is wrong.. it just downloads and
> > that's it. But when installing the updates i get a ton of selinux
> > notices!! and this is just a default Fedora 9 beta followed by a yum
> > -y update.
>
> Are you suggesting there are...bugs in the beta? That's an outrageous
> accusation to make!
>  Oh wait.. not it isn't.  I'm sure there a set of bugs tracking selinux
> issues that you should probably check.  There's also the test mailinglist
> where you could post avc messages and try to get other people to help you
> figure out why you are seeing them and if the underlying issue is a bug that
> has been fixed in a subsequent rawhide update.

Well i'm not saying that Fedora beta has selinux bugs. just that till
now my experience with selinux has been bad and i have to turn it off
to have a normally functional desktop.
And i've seen selinux for at least a few years now in distributions
and there is always something wrong (perhaps not a bug but it annoys
the user) so i doubt that it will ever get "normal" (at a point where
i can just use the desktop without selinux asking my attention).

>
> >
> > Also another issue that i noticed was when looking at a flash
> > animation in firefox.. when i want to play the animation selinux
> > (again) drops in and tells me i can't. (or i need to run a command to
> > get it working).
>
> Is this adobe's proprietary flash perchance?
>

Nope it isn't Fedora 9 (beta) gets some flash capable player in
firefox 3.. i didn't install adobe flash yet. The site i was looking
was: www.digg.com and than pressing the huge PLAY sign.

> -jef


2008/4/1, Andrew Farris <lordmorgul at gmail.com>:
> Mark wrote:
>  > Hey,
>  >
>  > I just installed the Fedora 9 Beta release and am doing a full system
>  > update as we speak.
>  > While downloading the updates nothing is wrong.. it just downloads and
>  > that's it. But when installing the updates i get a ton of selinux
>  > notices!! and this is just a default Fedora 9 beta followed by a yum
>  > -y update.
>
>
> A few suggestions... first, this is beta software, so naturally the fresh beta
>  install is going to have some issues.  Why wouldn't you expect that it is
>  possible selinux wouldn't play quietly in its corner right after you install...
>  yet you probably wouldn't think twice about a few little issues with gdm or
>  nautilus?

I wouldn't find it strange to see bugs in nautilus/gdm/any other than
selinux strange. Selinux is just: Annoying, frustrating, irritating
and asking to be disabled. My selinux history tells me that this isn't
a bug.. it's just selinux.

>
>  Now suggestions.
>  - To keep selinux running nicely on your desktop you need to relabel or
>  restorecon your files frequently, especially after any updates are done.  If you
>  update selinux-policy or your kernel, immediately do 'touch /.autorelabel' and
>  then reboot... when you don't you're tempting selinux to annoy you with denials
>  (expected behavior).
>  - Use tmpfs for /tmp.  This one suggestion from Dan Walsh has been very helpful
>  for my systems.  Just add the following line to your /etc/fstab:
>  tmpfs  /tmp  tmpfs  defaults 0 0
>
>   then do:
>  rm -Rf /tmp/*; reboot
>
>  Then remember that files in tmp are supposed to be temporary and don't save
>  large downloads, misc files, etc, in tmp... they will disappear at reboot, and
>  tmp is only 512Mb with tmpfs defaults.
>

First: it requires a reboot which should not be the case for ANY linux
based program unless it has a good reason. Windows == reboots afer
every update. Don't follow that path on linux!

Second: it requires me to INVESTIGATE the issues, find solutions and
fix it. Sorry to tell but that's not my job nor am i willing to do it
and it requires a lot of time to fix issues that should not even
exist.

Third: The tmpfs thing might be handy but i would just like to run the
OS in it's default stuff. If i need to edit things like that then
there is something wrong with Fedora.

>  - Run selinux-policy-targeted (the default, so don't change it) and then learn a
>  little bit about what denials mean, why they happen, and report those that you
>  cannot figure out.  Use setroubleshoot and sealert.  I've got lots of denials in
>  my audit database right now (actually 30+ of them are new today, for various
>  stuff I've been testing)... but not one of them has stopped me from 'doing real
>  work' on the system.
>
Again require me to do some work to get things fixed which should not
even be broken in the first place.

I simply don't get why such a idiotic system has to be in fedora...
Fedora is about user friendly distributions right? this one isn't user
friendly at all. Till now i've always disabled selinux as soon as the
first boot was completed.

Also a note about the selinux stats in the smolt database. When you
install fedora selinux is (sadly) enabled by default. And on the first
boot you get the smolt system specs sending stuff.. at that point
(atleast in F9 beta) there was NO option to turn off selinux so the
stats will therefore always indicate a higher selinux usage than is
actually the case. i turned it off right after those smolt things
where send but i'm in the smolt db now with selinux enabled!

O well.. enough selinux bashing for now ^_^




More information about the fedora-devel-list mailing list