[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Request to re-add option to disable SELinux



On Wed, 2008-07-02 at 17:16 -0400, Alan Cox wrote:
> On Wed, Jul 02, 2008 at 04:46:35PM -0400, Jon Masters wrote:
> > If it were really black and white like that, then I'd have to argue for
> > SELinux to be disabled by default on new Fedora installs and have users
> > go into the system config dialog to turn it back on. After all, if
> > you're going to use the following argument:
> 
> "This car has brakes, enable them ?"

Well, you can turn the ABS on and off in some cases.

> "Would you like the seatbelts to work ?"
> "Shall I enable the airbag ?"

You can turn the child restraint passenger system on/off on most models
of car to deal with the injury sustained from airbag deployment.

"Would you like to use regular gas or premium?"

> SELinux should be disablable is the wrong discussion. The discussion you should
> be having is "I've filed a few bugs where SELinux didn't magically do the right
> thing, how do we fix them and can we make these less likely to occur in future"

I think the only way to "fix" it for the foreseeable future is to
simplify policy, so that only a very limited set of services are
confined. Then, when the graphical tools and user experience have
eventually caught up, it'll be trivial to switch policy again.

> If it was a car this discussion ie - "I had a brake problem so I disabled them"
> would not be considered sane

No, but there are many other more suitable analogies :)

Jon.



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]