[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: wild and crazy selinux dependencies?



On Saturday 11 October 2008 16:19, Tom Horsley wrote:
> On Thu, 9 Oct 2008 12:02:52 +0000
>
> Marko Vojinovic <vvmarko panet co yu> wrote:
> > In general, you want a system with active selinux as much as a system
> > with file permissions. Security.
>
> Wrong Moose Breath! :-).
>
> In general, I want a system where it is possible to get things done,
> and all of the security types in the universe believe that just one more
> little obstacle won't hurt anything because, after all, it is to improve
> security.
>
> Collect together enough security features and you might as well try to
> use a cement block as a computer (which, after all, would be very secure,
> but still it might be physically breached, so we'll probably need
> to spend several more years make sure that cement blocks are all
> locked down with steel cables and enclosed in 10 ton vaults to protect
> their physical security).

I can't agree with what Marko said. I'd hate to see the time when Selinux was 
installed in enforcing mode, and impossible to disable it. I have left 
Selinux in enforcing mode on F8, and F9, and had only one problem, where I 
wasn't able to FTP into F8, and F9, from another machine. Setroubleshoot 
provided a fix for that, and I've had no problems since that. If I did have 
constant problems with Selinux, I'd have no hesitation in either disabling 
it, or at least trying it in permissive mode first. I'm only a home user, but 
am not saying that I'm not concerned about security. How much security is 
enough?

I've often read that security is a bit of a compromise. Too much security, and 
the machine is virtually unuseable, which sort of defeats the object of 
having a computer in the first place, if you can't do anything with it. Too 
little security (perhaps particularly with Windows machines), and your 
machine can be compromised, courtesy of all those miscreants out there.

I agree that it's annoying when trying to remove, for example Selinux, that it 
wants to remove half the OS as deps. You can simply disable Selinux, but that 
doesn't stop an app that you longer want, being updated. I disabled 
Pulseaudio by removing the alsa-plugins-pulseaudio package, but all the other 
pulseaudio stuff is still updated, and if nothing else, is wasting bandwidth, 
and the time it takes on my dialup connection. Totally removing all the 
pulseaudio stuff has similar problems to your Selinux removal. One Pulseaudio 
package wants to remove many other packages (non specifically Pulseaudio 
related), and I know of one person that did this (no longer on the list, but 
now on the Ubuntu list), and totally screwed up the sound.

On FC2 I removed Totem (the gstreamer version), and it also removed Rhythmbox 
as a dep. Then I reinstalled Rhythmbox, which didn't want Totem as a dep. 
Totem is dependent on Rhythmbox, but Rhythmbox is not dependent on Totem, at 
least that's the way it appears. Puzzling!

Personally, if you can just disable stuff, I'd go with that, and just put up 
with the needless updates for apps that you no longer use, or want.

25ยข worth of personal observations.

Nigel.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]