Fedora (again) forces me to disable SELinux

Matej Cepl mcepl at redhat.com
Sat Apr 5 08:06:40 UTC 2008 

On Fri, 04 Apr 2008 17:17:43 -0400, Stewart Adam scripst:
> I haven't extensively used SELinux in a long time so excuse me if this
> already exists, but if we are to keep this enabled by default and want
> it to be attractive to users I think we need to spend more time on tools
> like setroubleshoot. Two problems I had when I played with SELinux a few
> months ago was sharing content in /home via Samba, and /var/www/html via
> Apache - Both of which are relatively trivial in Mac or Windows. Apache
> +Windows less so, but at least it doesn't require the command line.

OK, so this message sent me into overdrive mode (and sorry, if the tone 
of my reply will show it). This is really the example message of somebody 
who didn't get it or you had really bad day when you wrote it (yes, we 
all have such days).

So, let me restate the situation if I understand it correctly -- you are 
administering a network of computers with a Linux server (you may be even 
paid to do it, who knows?) and you are not willing to type into Yahoo! 
(or Google, results are almost the same) "samba selinux home". And guess 
what is the first hit in the results? And if you take a look at http://
fedoraproject.org/wiki/SELinux/samba you may find out that actually this 
is web representation of manpage selinux_samba(8) (who would guess such 
name?) which is already present in your box. So, that's the one.

Then we have this program called system-config-selinux (how unusal name 
for the system configuration program in Fedoraland, isn't it? Yes, it is 
new in Fedora 8, before that it had different name). And if you switch to 
"Booleans" table and write "samba" in the search box, what do you see? 
"Support SAMBA home directories" and many other samba related switches (I 
am not sure which way your sharing of /home directories goes, so I am not 
sure, which is the best for you). Hmm, isn't that interesting?

OK, so you don't use Google, IRC (#fedora or #selinux channels on 
FreeNode), installed manapges, or many other methods how to get the 
information. So, what's your reaction? "SELinux is too complicated and it 
should be switched off by default!". No, sir, if you want to screw up 
security of computers you manage, YOU should switch off security features 
present there, so that YOU are responsible for the consequences. 
Otherwise, we would have hords of people with hijacked and broken-into 
boxes screaming here how Fedora is broken, because it doesn't protect 
their computer against known security threats.

</mode type="aggressive">

(I haven't understood what's your problem with Apache, so I cannot 
comment on that.)

You don't have to know that your other idea (red button "Just allow it!") 
is really not a great idea either. On the one hand you have Internet full 
of testimonies of people who hate Windows Vista for torturing them with 
dialog boxes "Can I do it? [Yes] [No]". On the other hand, if you are 
interested, read this http://www.cs.auckland.ac.nz/~pgut001/pubs/
phishing.pdf -- it is a good read.

Good luck with your administering!

Matěj

More information about the fedora-devel-list mailing list