Another selinux rant

Andrew Farris lordmorgul at gmail.com
Fri Jan 4 03:05:21 UTC 2008 

Ed Swierk wrote:
> On 1/3/08, Andrew Farris <lordmorgul at gmail.com> wrote:
>> As the policies improve selinux will become hardly more complicated for general
>> use as chmod itself is... proper policy + proper label = just works.  Obviously
>> both of those need to be in place and are in progress; so disable it when you
>> must now but if you just ignore it long term its to your detriment.  Set it
>> permissive at minimum and keep the denial log messages for additional security
>> review if/when you really need it.  And finally, the ability to disable it is in
>> the distro precisely so that you can (so why the rant? you want to be forced to
>> enable it instead? you feel everyone should install without it enabled by
>> default forever and ever? you feel that selinux should disable itself when you
>> get denials that prevent you doing what you want? uhm that won't do).
> 
> No, no and no. Dimi raised the issue of gauging the usability of
> SELinux, and the only point of my rant was to convey the experience
> that led me to disable it.
> 
> --Ed

Ok I understand then, however I'd just comment that as a gauge of usability I
think your situation (moving configurations across platforms, from no selinux to
selinux) is somewhat of a fringe case.  I realize that MANY admins would be
doing just that in the process of adopting selinux since rewriting
configurations is a major pain, but its still something that can almost be
expected to cause headache (and requires labeling).  Just my 2c on usability, it
still seems to work best when you start out from install with selinux enabled
and avoid deliberately circumventing it.

Would you say that documentation on that specific issue (migrating
configurations) needs more attention?

The big thing is any file moved has to get labeled.  Your openvpn issue looks
like it might be a real policy problem.

-- 
Andrew Farris <lordmorgul at gmail.com> <ajfarris at gmail.com>
 gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----                                                                       ----

More information about the fedora-devel-list mailing list