first encounters with SELINUX, with some suggestions
Daniel J Walsh
dwalsh at redhat.com
Thu Nov 11 16:44:07 UTC 2004
Thomas Vander Stichele wrote:
>Hi,
>
>
>
>>>- A lot of developers I know, including a bunch at Red Hat, *turn off
>>>SELINUX entirely*. IMO, something that gets pushed at heavily as this
>>>should be dogfooded by the development team at Red Hat completely, so
>>>they encounter firsthand what it means and how to fix basic issues.
>>>
>>>
>>FWIW I have three machines here, of which two have SELinux always on in
>>enforcing mode, and the third sometimes on (dogfooding Rawhide here, so
>>sometimes things break...). They're all using the targeted policy.
>>
>>
>
>Oh, I'm sure there are developers dogfooding it. My point is that *all*
>of the Red Hat developers should be dogfooding it if you think SELINUX
>should be the default (which I assume is being thought since it's the
>default in anaconda).
>
>
>
All RH developers do not work on FC3. (A Lot run on RHEL 3 and AS 2.1).
SELinux with strict policy was very difficult to develop on so a lot of
developers turned it
off, now that it is targeted policy, they are using it more and more.
Most of the problems
we are seeing now are with different Apache setups, which most
developers would not
have discovered on the desktop.
>My sample of developers was not correctly chosen if I wanted half of
>them to run it. But I think *all* of them should run it, and they
>should come to you or Karsten or Colin when they run into stuff they
>can't figure it out, so that it becomes impossible for me to find even
>one RH developer that doesn't know basic stuff about SELINUX.
>
>For any other subsystem I would say this ideal was utopian; for
>something that's this impacting on end users I'd say it's a necessity.
>But, of course, just my POV :)
>
>Thomas
>
>
>Dave/Dina : future TV today ! - http://www.davedina.org/
><-*- thomas (dot) apestaart (dot) org -*->
>If you don't ask me out to dinner
>I don't eat
><-*- thomas (at) apestaart (dot) org -*->
>URGent, best radio on the net - 24/7 ! - http://urgent.fm/
>
>
>
>
>
More information about the fedora-devel-list
mailing list