Fedora (again) forces me to disable SELinux

Tue Apr 1 01:54:55 UTC 2008

Mark wrote:
> 2008/4/1, Andrew Farris <lordmorgul at gmail.com>:
>> Beta.
> 
> Not beta! This is selinux related and is like this for years so don't
> tell me it's because of "beta". Otherwise try out Fedora 8 final fully
> updated to see for yourself. It's (again) just selinux.

You have to understand how much about selinux is a moving target because Fedora 
is a moving target; this is very much an issue of 'beta'.  SELinux policy is not 
developed in a vacuum or indepedently.  Its not just another application helping 
to secure the system along with your firewall; it must handle the oddball 
behavior of every constrained bit of code on the system.  It can never be 'just 
selinux' because selinux is not that type of application/package (the fact that 
you can turn it off doesn't mean its 'separate').

There may never be a fully complete policy that can drop into a distribution and 
'just work'.  Fedora is a rapidly changing package space; the policy plays keep 
up, so yeah, its always a beta issue until the full release.  It basically 
starts over as the totally new versions of software show up -- the more the 
software changes, the more the policy is deficient to work with it.  The feature 
set of F9 has alot different from F8, with major code changes that effect the 
selinux policy... its not all auto generated (which btw is impossible because 
programs are  deterministic but programmers are not, selinux constrains both how 
and 'why' accesses occur).

Having hundreds of denials as you try to update is NOT normal selinux behavior; 
that happens only when something is really broken.  It also happens often when 
people try to run selinux here and there, trying to turn it on and get things 
going, having issues, and shutting it off again for weeks.  Trust me I realize 
how that goes.. I've made a conscious effort to keep my systems (both stable and 
testing systems) running selinux enforcing since it showed up in Fedora.  It 
takes alot of time but its dramatically improved and continues to improve!

I have run F8, and I ran it selinux enforcing for months.  It really does get 
easier to work with the more you try, and especially the less your system 
packages are changing.  But I'm also not saying that selinux is a finished 
product... sometimes it does cause problems, but I've seen legitimate audits as 
well (not that often, but when they become frequent we'll all be glad that 
selinux developers/testers did this work now and not starting then).

And that wall of text is just to say, you ran into a pretty bad little beta 
issue, it happens. :)

>>  > I simply don't get why such a idiotic system has to be in fedora...
>>  > Fedora is about user friendly distributions right? this one isn't user
>>  > friendly at all. Till now i've always disabled selinux as soon as the
>>  > first boot was completed.
>>
>>
>> Well, its clear you don't understand it, which is ok, but debating its purpose
>>  or implementation is not a reasonable use of time.  You may continue to disable
>>  SELinux... I'll continue to do everything I can to help the developers improve
>>  it because I value what it provides.
> 
> I'm interested in trying it out and having a secured linux machine but
> not this way. Once it's illnesses are fixed (if that ever gets done)
> and selinux only spits out warnings like every other firewall is doing
> than i will probably use it by default as well. Just not now because
> of the reasons i told a few times now.

I hope it gets there too, but again, the nature of the beast is that policy 
won't be perfect unless software stops changing, and we don't want that.

-- 
Andrew Farris <lordmorgul at gmail.com> www.lordmorgul.net
  gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB  5BD5 5F89 8E1B 8300 BF29
  revoked key 0xC99B1DF3 no longer used
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----                                                                       ----