Fedora (again) forces me to disable SELinux

Mark markg85 at gmail.com
Sat Apr 5 12:15:40 UTC 2008


2008/4/5, Daniel J Walsh <dwalsh at redhat.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
>  Hash: SHA1
>
>
>  Mark wrote:
>  > Hey,
>  >
>  > I just installed the Fedora 9 Beta release and am doing a full system
>  > update as we speak.
>  > While downloading the updates nothing is wrong.. it just downloads and
>  > that's it. But when installing the updates i get a ton of selinux
>  > notices!! and this is just a default Fedora 9 beta followed by a yum
>  > -y update.
>  >
>  > Also another issue that i noticed was when looking at a flash
>  > animation in firefox.. when i want to play the animation selinux
>  > (again) drops in and tells me i can't. (or i need to run a command to
>  > get it working).
>  >
>  > Now i've tried to run selinux on Fedora 7 and 8 for as long as
>  > possible just to see how long i can get around it.. i did some
>  > commands in that time as well but i always end up with disabling
>  > selinux.
>  >
>  > I have no idea how other users are using fedora in a normal every day
>  > usage without disabling selinux.. i agree that a firewall should be in
>  > linux but selinux just doesn't seem mature yet (if it will ever be).
>  > Perhaps it's time to start considering to turn off selinux and remove
>  > it out of the fedora kernel completely? As long as it's blaming here
>  > when i install updates or simply browse the web than selinux gets shut
>  > down completely!
>  >
>  > So.. how are you doing this?
>  >
>  >
>  > Btw.. justging from the selinux stats here:
>  > http://smolts.org/static/stats/stats.html it says that nearly 50%
>  > (48.4%) is turning off selinux. And my guess is that all fedora
>  > servers keep it on making up the other 50%.
>  >
>
> The AVC messages you are probably seeing is SELinux attempting to
>  confine firefox/nsplugins. Although you did not submit them.
>
>  During the Beta I have been turning on a transition boolean for
>  nsplugin.  This transition is from unconfined_t to nsplugin_t.  The
>  attempt here is to confine random code like flashplugin/acrobat and
>  other closed source programs that read random data from the internet
>  from attacking your machine.  I have to turn it on by default in
>  Rawhide/Beta to find out what problems it causes.  I will probably turn
>  it off when we release, to prevent it causing problems, for people like you.
>
>  I write about the change in
>
>  danwalsh.livejournal.com/15700.html
>
>  This is a potential real security gain from this, but we need to
>  experiment to figure out how we can benefit the greatest number of users.
>
>  I agree we need to tread lightly when adding new SELinux confinement, to
>  the users but we still have an ability that could really advance
>  computer security.
>
>  allow_execmod, allow_execstack, allow_execheap, allow_execmod have
>  caused many avc's to be seen by users, but they also can prevent buffer
>  overflow attacks.  Sadly badly coded applications have caused us to turn
>  a lot of these checks off by default.
>
hereby a promise from me to you and all of the fedora development team.
Next time i install fedora (9 final or even 10 rawhide) then i will
keep selinux on as long as possible on enforcing.

Then i will collect all the issues i find and file them all here in
this mailing list (no this thread). i won't make a bugzilla report for
each warning! and a online selinux warning database where all the
warning are send to would really be helpful here!

But for now it stays off till i reinstall.




More information about the fedora-devel-list mailing list