[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: first encounters with SELINUX, with some suggestions

Thomas Vander Stichele wrote:


- A lot of developers I know, including a bunch at Red Hat, *turn off
SELINUX entirely*. IMO, something that gets pushed at heavily as this
should be dogfooded by the development team at Red Hat completely, so
they encounter firsthand what it means and how to fix basic issues.

FWIW I have three machines here, of which two have SELinux always on in
enforcing mode, and the third sometimes on (dogfooding Rawhide here, so
sometimes things break...). They're all using the targeted policy.

Oh, I'm sure there are developers dogfooding it. My point is that *all*
of the Red Hat developers should be dogfooding it if you think SELINUX
should be the default (which I assume is being thought since it's the
default in anaconda).

Why *all* so vehemently? There are devel issues other than selinux that occaisionally
crop up, and there is still a need to develop software that is (not yet anyways ;-) infected
with selinux.

FWIW, I've been dogfooding SE Linux for over a year without serious discomfort.

Sure there have been surprises. E.g. certain problems caused fsck to spew messages
that I dinna not even existed. On the whole, "targeted" selinux is pretty close to drop in
these days imho.

OTOH, I fully understand your out-of-box introduction to selinux trying to run mach.
That is a very hard environment, and there has been no serious attempt yet (afaik)
to attempt to write policy for a build system. That too is a rather hard problem requiring
different policy decisions than what is in "targeted".

Perhaps *you* should have started dog-fooding selinux sooner. It's not exactly like
the SELinux clouds have not been gathering for quite some time.

73 de Jeff

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]