SELinux removed from desktop cd spin?

Valent Turkovic valent.turkovic at gmail.com
Wed Jan 16 21:45:46 UTC 2008


On Jan 16, 2008 9:57 PM, David Nielsen <david at lovesunix.net> wrote:
>
> ons, 16 01 2008 kl. 20:57 +0100, skrev Valent Turkovic:
> > Hi,
> > I believe that SELinux is a great linux server security hardening tool
> > but that has little use in desktop linux usage and it confuses
> > ordinary desktop users.
> > If it hasn't been discussed before I would like to propose that on
> > desktop cd spin SELinux is not installed by default, of course after
> > discussion and approval from you (fedora devels).
>
> -infinity
>
> You opt out of security not into it, if SELinux presents a problem in an
> otherwise legitimate use case then it's a bug and it should be fixed.
> Dan Walsh is normally a very responsive maintainer and bugs get fixed
> nearly instantly.

You bring again something that has nothing to do with the issue. Off
course you opt out from security, not opt in. But I believe that using
fedora as a general desktop is already all the security 99% people
need. Other special cases can enable SELinux or even better build
their own kernel.

In order to use wireless fedora had to accept using firmware blobs
AFAIK just because people need their wireless JustToWork. And I
believe that people would like also not to get some useless (to them)
cryptic messages that don't give them any security. I get contantly
AVC Denial messages and none of them was a threat to my system.

> Prevention is better than waiting for a problem to erupt and then
> scramble to provide a 0 day patch to every critical bug. In much the
> same way as we vaccinate people to avoid illness in the future instead
> of just relying on luck and treatment.

SELinux on desktop feels much more like keeping people from ever
leaving their house in order for them not to get hurt outside that
vaccination.

On servers I can follow your vaccination analogy...

I believe that some technologies are made for servers and their place
it on server not on desktop. SELinux is top of that list.

Valent.
-- 
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic




More information about the fedora-devel-list mailing list