first encounters with SELINUX, with some suggestions

Thomas Vander Stichele thomas at apestaart.org
Thu Nov 11 16:03:36 UTC 2004


Hi,

> > 
> > - A lot of developers I know, including a bunch at Red Hat, *turn off
> > SELINUX entirely*.  IMO, something that gets pushed at heavily as this
> > should be dogfooded by the development team at Red Hat completely, so
> > they encounter firsthand what it means and how to fix basic issues.
> 
> FWIW I have three machines here, of which two have SELinux always on in
> enforcing mode, and the third sometimes on (dogfooding Rawhide here, so
> sometimes things break...).  They're all using the targeted policy.

Oh, I'm sure there are developers dogfooding it.  My point is that *all*
of the Red Hat developers should be dogfooding it if you think SELINUX
should be the default (which I assume is being thought since it's the
default in anaconda).

My sample of developers was not correctly chosen if I wanted half of
them to run it.  But I think *all* of them should run it, and they
should come to you or Karsten or Colin when they run into stuff they
can't figure it out, so that it becomes impossible for me to find even
one RH developer that doesn't know basic stuff about SELINUX.

For any other subsystem I would say this ideal was utopian; for
something that's this impacting on end users I'd say it's a necessity.
But, of course, just my POV :)

Thomas


Dave/Dina : future TV today ! - http://www.davedina.org/
<-*- thomas (dot) apestaart (dot) org -*->
If you don't ask me out to dinner
I don't eat
<-*- thomas (at) apestaart (dot) org -*->
URGent, best radio on the net - 24/7 ! - http://urgent.fm/






More information about the fedora-devel-list mailing list