[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Selinux (was: Re: Googleearth won't run on F10)



Bill Davidsen <davidsen tmr com> writes:
> That's a bit like asking how to turn off the burglar alarm so
> break-ins won't be so noisy. The correct question is how to set
> attributes correctly so google earth will run, and the answer may be
> in the SElinux report, as it often is. Real the report and see if it
> gives you a command to run which solves the problem.

;-)

Good analogy, extra style points for making one feel guilty for
turning off something that sounds like it should be a good thing to
have on in general.

Each distribution, since I think FC4, I've tried to run selinux and
after a short time decided it simply wasn't worth the trouble.  On
anything more complicated than a client-only, stand-alone system, I'd
get low-probability failures creeping out of the woodwork forever.
Selinux as currently delivered is a better DOS than any outside
attacker has ever inflicted on WSRCC in the one and a half dozen years
it has been on the net.  (Now, I obviously still believe in chrooted,
internet-faceing programs run as powerless per-daemon users, and I'm a
firm stickler in no non-RSA/DSA remote logins.  I just don't like my
own system DOS-ing me randomly.)

This time on F10 selinux lasted exactly 15 minutes.  The first time I
tried to log in as an NFS automounted user, I realized that things
have gotten worse in terms of working for me out of the box.  Sure I
could fight the issue and use the selinux tools to adjust the
permissions, but why bother, it is clear this hasn't been well tested
and using selinux will be an uphill battle with a pre-alpha quality
permissions database that I'll essentially be maintaining on my own.

I strongly suspect that Red Hat doesn't run with selinux enabled on
their corporate machines.  From how rickety everything still is, it
just doesn't feel like they eat their own dog-food.  How can NFS-ed
home directories possibly not work if they did?  Folks from RH are of
course encouraged to tell me how wrong I am.

-wolfgang
-- 
Wolfgang S. Rupprecht              http://www.full-steam.org/  (ipv6-only)
         You may need to config 6to4 to see the above pages.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]