[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Selinux

Bruno Wolff III wrote:
On Sat, Nov 29, 2008 at 20:41:51 -0500,
  Tom Horsley <tom horsley att net> wrote:
So why isn't it much simpler and less trouble to just turn off
selinux in the first place? I get the same level of security in the
end, and much less hassle in the meantime :-).

Because you can still leave it protecting other processes on the system
by either using pemissive domains or using audit2allow to generate rules
you can use to add a new policy module.

What would be really nice is if people reported these issues to bugzilla
instead of or in addition to griping about them here. Then either the app
or the policy could be fixed for everyone else.

Sorry, I assume that the QA process includes someone actually installing the application and seeing that it works. I would rather see things sit in updates-testing until someone is willing to sign off that they actually have been at least smoke tested?

It doesn't need to be some maintainer who does that, anyone who is going to use the package can take a moment to do the sign off, assuming that there's a process to identify people as capable of installing a package with selinux enabled (lots of folks), and willing to do so (still hopefully a non-empty set).

If Fedora is going to ship with SElinux enabled, it also should be working. I keep one fully patched VM for testing things, just create a qcow clone and and run the test. Great for opening those web sites which may be useful or may have evil, among other things.

Bill Davidsen <davidsen tmr com>
  "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]