Another selinux rant
Ed Swierk
eswierk at arastra.com
Fri Jan 4 02:33:17 UTC 2008
On 1/3/08, Andrew Farris <lordmorgul at gmail.com> wrote:
> As the policies improve selinux will become hardly more complicated for general
> use as chmod itself is... proper policy + proper label = just works. Obviously
> both of those need to be in place and are in progress; so disable it when you
> must now but if you just ignore it long term its to your detriment. Set it
> permissive at minimum and keep the denial log messages for additional security
> review if/when you really need it. And finally, the ability to disable it is in
> the distro precisely so that you can (so why the rant? you want to be forced to
> enable it instead? you feel everyone should install without it enabled by
> default forever and ever? you feel that selinux should disable itself when you
> get denials that prevent you doing what you want? uhm that won't do).
No, no and no. Dimi raised the issue of gauging the usability of
SELinux, and the only point of my rant was to convey the experience
that led me to disable it.
--Ed
More information about the fedora-devel-list
mailing list