No more selinux-policy-*-sources
Ralf Corsepius
rc040203 at freenet.de
Tue Mar 14 17:58:33 UTC 2006
On Tue, 2006-03-14 at 16:54 +0000, Andrew Haley wrote:
> Stephen J. Smoogen writes:
> >
> > To be honest, we have found that the following people turn off SeLinux
> > for the following reasons:
> >
> > 1) They were told that xyz would be fixed by turning off SeLinux. In
> > most cases, they the problem with xyz was really a config issue that
> > they then fix by hand, but will swear that turning off selinux somehow
> > fixed things. It is similar to problems back in the Red Hat Linux 5.0
> > days where any problem with the system was fixed with a static
> > compiled kernel or application.
> >
> > 2) They have installed some super nifty kernel module (panassas) or
> > application that selinux (and 90% of the rest of the kernel) does not
> > agree with.
> >
> > 3) They found a legitimate problem with selinux but did not have the
> > tools to debug it or had the training needed to fix it.
Cf. 7) below.
> > 4) They turn it off because it is outside their experience or religous
> > (Unix) convictions.
>
> 5) They don't want enhanced security. I suspect this is a sizable
> number of people.
Only very few people work for a bank ;)
6) They found SELinux (rsp. policy bugs) to prevent the OS from proper
function.
Fundamental design problem: SELinux policies are centralized and
therefore not easy to customize.
7) They found the current SELinux tools to suffer from usability
deficits. For example: Why aren't all selinux tools using a common
program prefix?
Finally, one fundamental problem, probably most users ask them
themselves: Is coping with all the issues SELinux causes worth the
effort, and does it really help the user?
I guess, all Fedora users have been fighting with SELinux at some point
in time, but probably nobody or at least very few have seen SELinux
preventing damage from a system in real world installations.
Ralf
More information about the fedora-devel-list
mailing list