SELinux removed from desktop cd spin?
Daniel J Walsh
dwalsh at redhat.com
Thu Jan 17 16:42:34 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Valent Turkovic wrote:
> On Jan 16, 2008 10:13 PM, Dave Airlie <airlied at redhat.com> wrote:
>> On Wed, 2008-01-16 at 16:00 -0500, Alan Cox wrote:
>>> On Wed, Jan 16, 2008 at 08:57:56PM +0100, Valent Turkovic wrote:
>>>> I believe that SELinux is a great linux server security hardening tool
>>>> but that has little use in desktop linux usage and it confuses
>>>> ordinary desktop users.
>>> Desktop users are the people it is most important for. If it is still confusing
>>> people we need to fix the confusions. Perhaps you can explain more ?
>> We made one big mistake with SELinux, selinuxalert or whatever it is
>> called... we haven't learned from the MAC vs Windows ads... we now have
>> an app that puts us squarely into the Windows lack of usefulness camp.
>> "hey user this app is doing something bad. do you want to let it do
> I wish it was that easy when I installed fluendo codes I couldn't play
> my multimedia because SELInux blocked it (nobody tested it even that
> fedora 8 advertised fluendo codec support as one of its new shiny
> selinux troubleshoot tool it still to hard for ordinary desktop users.
> I see the real benefit of SELinux troubleshoot tool for admins using
> RHEL of fedora on their servers but on desktop I hardly see any point.
> I will bet anybody who wants that Fedora live cd users will have more
> trouble from using SElinux than benefit. Also that ubuntu, opensuse
> and other distros that don't use SElinux won't be in trouble from some
> 0day exploit.
# setsebool -P allow_execmod=1
THis will turn off checking for badly coded shared libraries. (fluendo
codecs and others.)
Also make sure you are up2date with the latest policy. Finally make
sure /var/log/ has the right context. restorecon -R -v /var/log
logrotate had a bug where it was loosing file context.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the fedora-devel-list