Request to re-add option to disable SELinux

Andrew Farris lordmorgul at gmail.com
Thu Jul 3 17:32:10 UTC 2008 

Mike Chambers wrote:
> On Thu, 2008-07-03 at 04:29 -0400, Alan Cox wrote:
> 
>> Sorry if I sound fed up of all of this but I spent 9 months fighting people
>> years back to get firewalling enabled by default, and that had all the same
>> arguments. Today nobody (even Microsoft) would propose otherwise.
>>
>> This is the same thing ..
>>
>> As to Setroubleshoot it would be nicer if it spoke more "end user" ese and
>> could prompt/fix common mislabelling (eg html files)
> 
> I agree with Alan here, that if selinux is indeed a great program to
> help secure the OS and anything else, it at least needs to be a LOT more
> user friendly.  
> 
> Ok, don't give me this MS to linux compare bit on what I am comparing
> next, it's the comparing of wording and concept it's done in, not
> details and stuff LOL.  Anyway, Vista came out with that (I forget the
> damn program name) program that when certain programs/files run, you get
> a dialog box that you have to continue (to allow it to run) or cancel.
> Now, no this isn't exactly the same, but it is in a way.  They both
> provide a little better security than with out it.  BUT, in Vista, the
> user doesn't have to relabel something, or go to the CLI, or whatever.
> They get a little question stating this program wants to run, do you
> give it permission.  That's it, nothing else (might not like that dialog
> all the time though, I am sure).  And that is what I am trying to say
> for selinux, that it needs to allow things to do what they need, and if
> not, a simple little question or whatever to allow it.  The user should
> NOT have to go to the CLI for anything.  They shouldn't have to do this
> command or that command, JUST HIT YES OR NO!!

Working to add a simple 'press yes or no' is an exercise in futility... general 
users unquestioningly press yes and go on with their business whether they 
should have or not.  There is no effective difference from turning SELinux off. 
  If/When a program misbehaves and represents a security risk the user will have 
no means to know whether it should or should not be allowed... and training to 
say yes just because its an action they 'initiated by clicking' is horrible.

I would agree that some GUI tools would be a great fix, but not in the way Vista 
has chosen to do them, because that is a fake and pointless security comfort 
blanket and nothing more.  For these actions the user should at minimum have to 
type an administrator password (for instance any user/pass combo that has 
adequate PolicyKit authorization to make selinux policy changes).

> Well anyway, not ranting or raving.  Just trying to maybe help clarify
> what Jon was talking about, and what Alan was saying.  SELinux I am sure
> is a wonderful thing, and just needs to be I guess, dumbed down or
> whatever so the user clearly understands what it is doing or not doing
> and to present the user with simple to do questions/answers/buttons or
> whatever to push/answer.

The problem is that the general user does NOT understand even with the 
explanation given.  I've been struggling to understand selinux myself for 
several years and it is far from clear what is happening and why all the time. 
What is more difficult is knowing whether that application should have been 
allowed to do what it tried to do, and I'm far from a general desktop user.

SETroubleshoot is a great step forward for helping users know why selinux 
denials occur, but a simple dialog box will NEVER be adequate for a general user 
to know whether the application is doing something inappropriate, and whether 
they should force it to be allowed or not.

-- 
Andrew Farris <lordmorgul at gmail.com> www.lordmorgul.net
  gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB  5BD5 5F89 8E1B 8300 BF29

More information about the fedora-devel-list mailing list