SELinux removed from desktop cd spin?

Valent Turkovic valent.turkovic at gmail.com
Thu Jan 17 15:27:22 UTC 2008 

Jeff Spaleta wrote:
> On Jan 17, 2008 5:13 AM, Valent Turkovic <valent.turkovic at gmail.com> wrote:
>> Again I'm not talking about general fedora distro, only Desktop spin.
> 
> I garuantee you that people understand the argument you are making.
> And I'm pretty sure that you haven't actually come up with a new line
> of reasoning that hasn't already been considered previously.
> 
> It comes down to this. You either value the selinux technology for a
> specific usage case, or your don't.  If you value it, then you must
> support Fedora having it enabled by default because Fedora so that we
> can continue to refine it through more feedback.   If you don't value
> it as a technology for the usage case you are interested in then you
> aren't ever going to really be comfortable with it being included at
> all.
> 
> So clearly you don't value it.  And clearly I do.  Continuing to run
> in circles about this for another 300 posts isn't going to go anywhere
> because at a pretty fundamental level our assumptions about what is
> important are vastly different.
> 
> But you know what, my opinion and your opinion are really not that
> important.  What I care about in terms of project direction is what
> the security experts and the expert interface designers think.  We
> must find a way to continue to incrementally make dealing with selinux
> easier.  I'd rather get the right people in a room somewhere to sit
> down and discuss selinux desktop integration away from the noise and
> pitchforks in a mailinglist, and then move forward from there.  You
> and I are not the right people.

Jeff I completely agree with you, it is not on me or you to decide, but 
I thing that this discussion really needs to happen because fedora 
currently has lost it's focus. It is not a server distro, it is not 
desktop focused distro - nobody knows what exacly fedora should be used for.

So I hoped that Fedora desktop spin will have some clear focus - the 
desktop as the name suggests, but it looks much more to me like it 
should be called just Fedora light.

There is no real difference (only NetworkManager turner on by default on 
desktop spin) in Fedora and Fedora Desktop spin.

I don't agree that security experts should decide if SELinux should go 
or not on Fedora Desktop spin or should it be on/off by default but some 
team of people who have a clear vision what Fedora Desktop experience 
should be about.

They should look real hard at the the costs to usability vs. security 
benefits on desktop.

What are the real security issues on desktop? OpenOffice exploits? Gnome 
expoits? What? You aren't running apache, mysql and php on desktop and 
those services shouldn't be running. Maybe ssh is running and that can 
be hardened really easily with firewall rules. What is actual threat 
that SELinux prevents on Fedora Desktop?

Is it just there because SELinux exists and it makes things secure in 
general but also gets in way of user experience? That is a poor excuse IMHO.

Valent.

More information about the fedora-devel-list mailing list