Fedora (again) forces me to disable SELinux
Mark
markg85 at gmail.com
Sat Apr 5 12:15:40 UTC 2008
2008/4/5, Daniel J Walsh <dwalsh at redhat.com>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Mark wrote:
> > Hey,
> >
> > I just installed the Fedora 9 Beta release and am doing a full system
> > update as we speak.
> > While downloading the updates nothing is wrong.. it just downloads and
> > that's it. But when installing the updates i get a ton of selinux
> > notices!! and this is just a default Fedora 9 beta followed by a yum
> > -y update.
> >
> > Also another issue that i noticed was when looking at a flash
> > animation in firefox.. when i want to play the animation selinux
> > (again) drops in and tells me i can't. (or i need to run a command to
> > get it working).
> >
> > Now i've tried to run selinux on Fedora 7 and 8 for as long as
> > possible just to see how long i can get around it.. i did some
> > commands in that time as well but i always end up with disabling
> > selinux.
> >
> > I have no idea how other users are using fedora in a normal every day
> > usage without disabling selinux.. i agree that a firewall should be in
> > linux but selinux just doesn't seem mature yet (if it will ever be).
> > Perhaps it's time to start considering to turn off selinux and remove
> > it out of the fedora kernel completely? As long as it's blaming here
> > when i install updates or simply browse the web than selinux gets shut
> > down completely!
> >
> > So.. how are you doing this?
> >
> >
> > Btw.. justging from the selinux stats here:
> > http://smolts.org/static/stats/stats.html it says that nearly 50%
> > (48.4%) is turning off selinux. And my guess is that all fedora
> > servers keep it on making up the other 50%.
> >
>
> The AVC messages you are probably seeing is SELinux attempting to
> confine firefox/nsplugins. Although you did not submit them.
>
> During the Beta I have been turning on a transition boolean for
> nsplugin. This transition is from unconfined_t to nsplugin_t. The
> attempt here is to confine random code like flashplugin/acrobat and
> other closed source programs that read random data from the internet
> from attacking your machine. I have to turn it on by default in
> Rawhide/Beta to find out what problems it causes. I will probably turn
> it off when we release, to prevent it causing problems, for people like you.
>
> I write about the change in
>
> danwalsh.livejournal.com/15700.html
>
> This is a potential real security gain from this, but we need to
> experiment to figure out how we can benefit the greatest number of users.
>
> I agree we need to tread lightly when adding new SELinux confinement, to
> the users but we still have an ability that could really advance
> computer security.
>
> allow_execmod, allow_execstack, allow_execheap, allow_execmod have
> caused many avc's to be seen by users, but they also can prevent buffer
> overflow attacks. Sadly badly coded applications have caused us to turn
> a lot of these checks off by default.
>
hereby a promise from me to you and all of the fedora development team.
Next time i install fedora (9 final or even 10 rawhide) then i will
keep selinux on as long as possible on enforcing.
Then i will collect all the issues i find and file them all here in
this mailing list (no this thread). i won't make a bugzilla report for
each warning! and a online selinux warning database where all the
warning are send to would really be helpful here!
But for now it stays off till i reinstall.
More information about the fedora-devel-list
mailing list