Fedora (again) forces me to disable SELinux

Daniel J Walsh dwalsh at redhat.com
Sat Apr 5 15:04:50 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rahul Sundaram wrote:
> Daniel J Walsh wrote:
> 
>> During the Beta I have been turning on a transition boolean for
>> nsplugin.  This transition is from unconfined_t to nsplugin_t.  The
>> attempt here is to confine random code like flashplugin/acrobat and
>> other closed source programs that read random data from the internet
>> from attacking your machine.  I have to turn it on by default in
>> Rawhide/Beta to find out what problems it causes.  I will probably turn
>> it off when we release, to prevent it causing problems, for people
>> like you.
>>
>> I write about the change in
>>
>> danwalsh.livejournal.com/15700.html
>>
>> This is a potential real security gain from this, but we need to
>> experiment to figure out how we can benefit the greatest number of users.
>>
>> I agree we need to tread lightly when adding new SELinux confinement, to
>> the users but we still have an ability that could really advance
>> computer security.
> 
> Please send a note to fedora-devel/fedora-test list when making
> important changes like this so people know what to expect and can give
> feedback accordingly.
> 
> Rahul
> 
Well I actually misspoke, this has been on for the entire Rawhide period
after FC8 shipped.  I will be turning it off by default with the
shipping Fedora 9.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkf3lRIACgkQrlYvE4MpobP8aACggcAiO5aS/jowKe3qyYMSWyi6
ISIAoIXPTjBP5qvJz/MR8ClDSKWCoSBg
=wCAu
-----END PGP SIGNATURE-----




More information about the fedora-devel-list mailing list