Request to re-add option to disable SELinux

Wed Jul 2 21:14:27 UTC 2008

On Wed, 2008-07-02 at 16:58 -0400, Colin Walters wrote:

> I don't think we can go too far in cutting out the crap from the
> install process for desktops.

Like I said, I like the sentiment ;)

> If our defaults are broken, we should acknowledge that as a bug
> instead of foisting the choice onto our users.

Ok, so...

> Yes, I think what you should be arguing is that it should be
> permissive or disabled by default.  

Ok then let me just say it. I think the default should be permissive or
disabled by default. I was hoping to not have to say that - but I think
it's a lot safer on the mass userbase of Fedora than thrusting a fully
enforcing SELinux policy set upon them. If I'm having to hack on the
policy files on my laptop, there's no hope for a desktop user.

> I'm not sure I would agree with that argument personally given that I
> see little hope for any other extended security system (e.g. AppArmor
> is architecturally broken).

Oh, see this is why I didn't want to just say "let's turn it off by
default", because people read it as an attack on SELinux itself. But it
doesn't have to be like that. SELinux is well designed (App Armor is
basically crackrock in my personal opinion) but it's extremely
complicated in terms of the policy that exists. It's also not for
everyone, in my opinion. I think that SELinux makes great sense on a
server running a timesharing environment, far less on a desktop.

> There are plenty of other possible choices besides just enabling by
> default or disabling:
> 
> o Default rawhide installs to permissive

And yet the issues I've had have all been on F9, stock.

> o Create a system that automatically sends denials back to Fedora and
> treat them like crashes

There's still a lead time of days, or weeks. Dan is *very* good (I'm
being careful here to explicitly say I'm not attacking the folks behind
the policy - he updated the policy within a day of e.g. the VPNC issue)
but the whole thing is still very reactionary to problem reports. If a
user tries to do some of the things I tried, and they fail, they'll just
give up on trying, and think that it's all a waste of time.

> o Tune down the default policy to move more things back into
> unconfined_t, and focus more strongly on vulnerable network servers
> like Samba, Apache etc.

This absolutely the most essential thing to be doing. I've been arguing
this for ever and ever. Personally, I think SELinux is a great tool on
servers to protect network facing stuff...but there needs to be a middle
ground on Desktops where people can just get stuff done. I haven't
pushed this on fedora-devel - I didn't expect a warm response ;)

> o Actually have a regression test suite for Fedora and run updates
> through it

Well, while we're at it, we really need to encourage more people to use
bodhi and start voting (and thereby assigning karma), and knowing about
updates (which should only ever contain essential fixes). But that's
another whole bucket of worms for a different thread.

Jon.

> 