first encounters with SELINUX, with some suggestions

[Jeff Johnson]

Thomas Vander Stichele wrote:

>Hi,
>
>  
>
>>>- A lot of developers I know, including a bunch at Red Hat, *turn off
>>>SELINUX entirely*.  IMO, something that gets pushed at heavily as this
>>>should be dogfooded by the development team at Red Hat completely, so
>>>they encounter firsthand what it means and how to fix basic issues.
>>>      
>>>
>>FWIW I have three machines here, of which two have SELinux always on in
>>enforcing mode, and the third sometimes on (dogfooding Rawhide here, so
>>sometimes things break...).  They're all using the targeted policy.
>>    
>>
>
>Oh, I'm sure there are developers dogfooding it.  My point is that *all*
>of the Red Hat developers should be dogfooding it if you think SELINUX
>should be the default (which I assume is being thought since it's the
>default in anaconda).
>  
>

Why *all* so vehemently? There are devel issues other than selinux that 
occaisionally
crop up, and there is still a need to develop software that is (not yet 
anyways ;-) infected
with selinux.

FWIW, I've been dogfooding SE Linux for over a year without serious 
discomfort.

Sure there have been surprises. E.g. certain problems caused fsck to 
spew messages
that I dinna not even existed. On the whole, "targeted" selinux is 
pretty close to drop in
these days imho.

OTOH, I fully understand your out-of-box introduction to selinux trying 
to run mach.
That is a very hard environment, and there has been no serious attempt 
yet (afaik)
to attempt to write policy for a build system. That too is a rather hard 
problem requiring
different policy decisions than what is in "targeted".

Perhaps *you* should have started dog-fooding selinux sooner. It's not 
exactly like
the SELinux clouds have not been gathering for quite some time.

73 de Jeff