Request to re-add option to disable SELinux
Simo Sorce
ssorce at redhat.com
Wed Jul 2 21:48:35 UTC 2008
On Wed, 2008-07-02 at 17:16 -0400, Jon Masters wrote:
> On Wed, 2008-07-02 at 17:13 -0400, Alan Cox wrote:
> > On Wed, Jul 02, 2008 at 04:37:48PM -0400, Jon Masters wrote:
> > > I wasted about 6 hours on Sunday evening[0] figuring out why an SELinux
> > > policy update in F9 had randomly stopped VPNC from working in a policy
> > > update - that came following days of denials trying to do even simple
> > > stuff. I can't possibly see how thrusting this default upon masses of
> > > otherwise unsuspecting users is a good idea. I'm not saying SELinux
> > > isn't a fantastic idea in certain cases, just not on "the desktop".
> >
> > The desktop is where it is most needed.
>
> Yes, in a perfect world in which policy and reality were so well aligned
> that everything just worked, all of the time.
>
> > But here is a silly question - why are you using vpnc if you turn SELinux off,
> > telnet would be faster too ?
>
> I didn't turn SELinux off. I'm forcing myself to use it in enforcing
> mode, and I will continue to do so. But I think it's absolutely nuts to
> expect the average Fedora desktop user to do so :)
1) you are not the average user, your experience is biased and your
usage patterns are not standard
2) I use SELinux in enforcing mode since F8, I had almost no problems, I
do development and all. I know what SELinux is and when to change to
permissive.
Moreover, given I am doing development and I am fiddling with
non-standard stuff I expect to have randomly problems with SELinux
(which is all about blocking non-standard behavior), so I just took my 2
hours self-teaching course on SELinux and know how to diagnose and
change labels when needed. I even ventured into changing some policy for
the packages I work on, although Dan Walsh is super in helping out with
that stuff and learning how to write policies is not strictly needed.
Take your time, learn what SELinux is and help back to make it better my
providing changes relative to packages you own or you use most. This
will be abetter use of your time.
I wonder if windows developers had the same attitude toward NTFS ACLs
when Microsoft started transitioning them from FAT ... I think us Linux
devs can handle SELinux, conceptually and practically.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the fedora-devel-list
mailing list