Fedora (again) forces me to disable SELinux
Matej Cepl
mcepl at redhat.com
Sat Apr 5 08:06:40 UTC 2008
On Fri, 04 Apr 2008 17:17:43 -0400, Stewart Adam scripst:
> I haven't extensively used SELinux in a long time so excuse me if this
> already exists, but if we are to keep this enabled by default and want
> it to be attractive to users I think we need to spend more time on tools
> like setroubleshoot. Two problems I had when I played with SELinux a few
> months ago was sharing content in /home via Samba, and /var/www/html via
> Apache - Both of which are relatively trivial in Mac or Windows. Apache
> +Windows less so, but at least it doesn't require the command line.
OK, so this message sent me into overdrive mode (and sorry, if the tone
of my reply will show it). This is really the example message of somebody
who didn't get it or you had really bad day when you wrote it (yes, we
all have such days).
So, let me restate the situation if I understand it correctly -- you are
administering a network of computers with a Linux server (you may be even
paid to do it, who knows?) and you are not willing to type into Yahoo!
(or Google, results are almost the same) "samba selinux home". And guess
what is the first hit in the results? And if you take a look at http://
fedoraproject.org/wiki/SELinux/samba you may find out that actually this
is web representation of manpage selinux_samba(8) (who would guess such
name?) which is already present in your box. So, that's the one.
Then we have this program called system-config-selinux (how unusal name
for the system configuration program in Fedoraland, isn't it? Yes, it is
new in Fedora 8, before that it had different name). And if you switch to
"Booleans" table and write "samba" in the search box, what do you see?
"Support SAMBA home directories" and many other samba related switches (I
am not sure which way your sharing of /home directories goes, so I am not
sure, which is the best for you). Hmm, isn't that interesting?
OK, so you don't use Google, IRC (#fedora or #selinux channels on
FreeNode), installed manapges, or many other methods how to get the
information. So, what's your reaction? "SELinux is too complicated and it
should be switched off by default!". No, sir, if you want to screw up
security of computers you manage, YOU should switch off security features
present there, so that YOU are responsible for the consequences.
Otherwise, we would have hords of people with hijacked and broken-into
boxes screaming here how Fedora is broken, because it doesn't protect
their computer against known security threats.
</mode type="aggressive">
(I haven't understood what's your problem with Apache, so I cannot
comment on that.)
You don't have to know that your other idea (red button "Just allow it!")
is really not a great idea either. On the one hand you have Internet full
of testimonies of people who hate Windows Vista for torturing them with
dialog boxes "Can I do it? [Yes] [No]". On the other hand, if you are
interested, read this http://www.cs.auckland.ac.nz/~pgut001/pubs/
phishing.pdf -- it is a good read.
Good luck with your administering!
Matěj
More information about the fedora-devel-list
mailing list