[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Request to re-add option to disable SELinux

On Wed, Jul 2, 2008 at 4:46 PM, Jon Masters <jonathan jonmasters org> wrote:
On Wed, 2008-07-02 at 16:28 -0400, Colin Walters wrote:

> Yeah, we're trying to make installing Fedora not be a Choose Your Own
> Linux Adventure game.

I agree (partially) with that sentiment. Though it can obviously go way
too far with the aim of making life "easier" during a 10 minute install.

I don't think we can go too far in cutting out the crap from the install process for desktops.  The target audience is (or should be) people who have *more important things* to do with their time than play Build My Own Linux.  They hit "Next" on the partitioning screens, firewall, etc.

If our defaults are broken, we should acknowledge that as a bug instead of foisting the choice onto our users.

> Either the SELinux policy works well enough that it is enabled by
> default and supported, or it's not.

If it were really black and white like that, then I'd have to argue for
SELinux to be disabled by default on new Fedora installs and have users
go into the system config dialog to turn it back on. After all, if
you're going to use the following argument:

Yes, I think what you should be arguing is that it should be permissive or disabled by default. 
I'm not sure I would agree with that argument personally given that I see little hope for any other extended security system (e.g. AppArmor is architecturally broken).

There are plenty of other possible choices besides just enabling by default or disabling:

o Default rawhide installs to permissive
o Create a system that automatically sends denials back to Fedora and treat them like crashes
o Tune down the default policy to move more things back into unconfined_t, and focus more strongly on vulnerable network servers like Samba, Apache etc.
o Actually have a regression test suite for Fedora and run updates through it


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]