No more selinux-policy-*-sources

Farkas Levente lfarkas at bppiac.hu
Tue Mar 14 16:55:42 UTC 2006


Florian La Roche wrote:
>>I equate SELinux to the point when personal firewalls were first being 
>>introduced to each computer, everyone at that point just turned them 
>>off.  But eventually the technology got to the point where most people 
>>don't
>>realize they have a firewall running on there system.
> 
> 
> I start hearing from more and more people who now keep selinux
> enabled on e.g. fc4 with all updates applied.
> And getting developers who often change their system to have
> selinux on is one of the bigger hurdles...

we try and really try to use selinux on all of servers. but after a
years we are think more and more it's un usable. although Daniel is one
of the fastest and most gentle developer at rh and his response time is
almost always in one day it's still not enough. even after about a year
when rhel4 comes out we still regulary run
audit2allow -l -i /var/log/audit/audit.log
and still find rules which should have to apply in order to avoid
problems. and these are not extra applications these are just those
included in the rh release. on fedore the situation worse so we trun off
selinux all on of our desktops.
i hope when binary compiled policies can be used and application
developer has to develop their own policies then the situation will be
better, but now it's like a toy. but even then i do not realy belive
such a rules like:
allow named_t winbind_var_run_t:dir getattr;
allow mysqld_t nscd_var_run_t:dir search;
will be easily categorized to any package...

these are just my experiences:-(

-- 
  Levente                               "Si vis pacem para bellum!"




More information about the fedora-devel-list mailing list