Fedora (again) forces me to disable SELinux

Stewart Adam maillist at diffingo.com
Fri Apr 4 21:17:43 UTC 2008 

On Fri, 2008-04-04 at 19:18 +0200, Mark wrote:
> 2008/4/3, Arthur Pemberton <pemboa at gmail.com>:
> 
> To stay on your light bulb.
> It might not be the best thing to show down the light bulb like
> Mr.Bean does in one of his videos so having the light bulb BUT turning
> it off by default is better for the environment :) only turn it on
> when you need the light.
> 
> and for that fedora needs to change the current state of that light
> bulb from on to off by default
> 
+1

I don't use SELinux and I understand that some people like it and do
need/use it, however keeping it enabled by default causes a whole lot of
problems from the end-user point of view and I think we need the right
tools to fix these things.

I haven't extensively used SELinux in a long time so excuse me if this
already exists, but if we are to keep this enabled by default and want
it to be attractive to users I think we need to spend more time on tools
like setroubleshoot. Two problems I had when I played with SELinux a few
months ago was sharing content in /home via Samba, and /var/www/html via
Apache - Both of which are relatively trivial in Mac or Windows. Apache
+Windows less so, but at least it doesn't require the command line.

Setroubleshoot was a great help since I could just copy+paste the
command it gave me and then things worked a little better (until I hit
the next slew of audit errors). Printing out the error messages and
giving a error description + command to fix the error is great (huge
improvement since I last tried SELinux in FC2) but I think we need a
user-oriented tool that simply recognizes: SELinux is blocking Samba.
Click here to allow. <click>. done.

The idea is actually pretty similar to how Firestarter detects blocked
packets and you can right-click an event and to choose allow host, allow
service, block host, block service.

Another idea would be to implement a daemon that reports audit messages
to a central database where we could collect and review the cause. That
way we could pick up the common ones and get them solved or put why it's
being blocked by default into a FAQ. Of course, that daemon doesn't have
to be enabled by default, but it would be very useful among testers
imho,

Stewart

More information about the fedora-devel-list mailing list