[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Request to re-add option to disable SELinux



Why don't we have a compromise policy, where interactive users are not restricted except their browsers? System daemons would be restricted of course.
Another suggestion, is when something breaks because of selinux, and I get a balloon about it. However, I am unable to modify selinux policy to "correctly" fix that problem. The suggestion is to allow the user a mechanism to launch the affected program in selinux-free mode ( like launch as administrator from the Vista world!). Basically, selinux builds very tight walls around the system, the end user, needs a hammer to break some of these walls to get his work done. If we don't provide the hammer, he'll end up turnning it off completely!

On Thu, Jul 3, 2008 at 11:29 AM, Alan Cox <alan redhat com> wrote:
On Wed, Jul 02, 2008 at 05:20:50PM -0400, Jon Masters wrote:
> I think the only way to "fix" it for the foreseeable future is to
> simplify policy, so that only a very limited set of services are
> confined. Then, when the graphical tools and user experience have
> eventually caught up, it'll be trivial to switch policy again.

How will you know you have "fixed" it if you have the bits in question
turned off - you won't. You have no meaningful way to make progress.

Sorry if I sound fed up of all of this but I spent 9 months fighting people
years back to get firewalling enabled by default, and that had all the same
arguments. Today nobody (even Microsoft) would propose otherwise.

This is the same thing ..

As to Setroubleshoot it would be nicer if it spoke more "end user" ese and
could prompt/fix common mislabelling (eg html files)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]