[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SELinux in guides [was: Self-Introduction: Eric Christensen]



On Wed, 2008-01-09 at 08:33 +0900, Marc Wiriadisastra wrote:
> > Marc Wiriadisastra wrote:
> >> <snip>
> >>
> >>> The best standard for this, which we declare for other guides, is to do
> >>> a completely default installation of Fedora and work from that.  The
> >>> default SELinux mode is Enforcing the targeted policy.  I find it
> >>> useful
> >>> to do testing in a VM since it means I don't have to monkey with my
> >>> actual system configuration -- and in any case that would be a bad idea
> >>> since it's sometimes difficult to predict how the changes one has
> >>> already made would affect testing results.
> >>>
> >>
> >> What do you use as a VM.  I tried VMWare and I don't really like it I'm
> >> not to sure what else is out there.  Also are there any docs to install
> >> the VM if you use a different kind?
> >>
> >> Cheers,
> >>
> >> Marc
> >>
> >>
> >     As just a user when I got to F7 I was Attacked by SElinux :-)
> > I wrote to the Fedora list my problems and found I was not alone. A
> > whole lot of F7 users deleted SElinux. Then on to F8 and I decided to
> > try it again and set it up full power and have had zero problems :-P
> >
> >     It is there to protect from bad things but never do I see or hear
> > from it. I think the developers got it right.
> >
> > Karl
> >
> >
> I definitely agree with you there.  The challenges show up when you try to
> create a samba share in your home directory, try to create a home
> public_html directory and a few other bits and pieces.
> 
> The main gripe's can be fixed with the programs built into Fedora.  I
> still get SELinux popping up for Java and a few other programs but thats
> because of text/fonts and also with flash (online games for my son)
> 
> I do think however that it is a brilliant set up and a lot of the times a
> touch /.autorelabel or whatever it is fixes it. Other options are
> restorecon -r -v /directory fixes it.

I started using SELinux in FC3 (FC2?), retreated to "disabled" for the
rest of that release, and then for FC4 (FC3?) I just decided to man up
and face it, since all the reading I did made it seem completely amazing
and far superior deseign to AppArmor.  (Not to mention which there was a
good chance I'd run into it again in the public sector.)

In F7 and F8 it has been remarkably good, and the setroubleshoot/sealert
tools have helped me better understand how it works.  (Plus Karsten's
FAQ, thanks man.) :-)  The booleans make it very tunable and there's
almost no problem I haven't been able to lick using some diagnostic
skills, common sense, and a turn or two around Google.

-- 
Paul W. Frields, RHCE                          http://paul.frields.org/
  gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233  5906 ACDB C937 BD11 3717
           Fedora Project: http://pfrields.fedorapeople.org/
  irc.freenode.net: stickster @ #fedora-docs, #fedora-devel, #fredlug

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]