do I need SELinux?

Daniel J Walsh dwalsh at redhat.com
Fri Nov 12 14:37:21 UTC 2004 

Craig wrote:

> William Hooper wrote:
>
>> Michael A. Peters said:
>> [snip]
>>
>>> But there are still imho too many cases where it gets in the way of
>>> what the desktop user wants to do for me personally to recommend it to
>>> desktop users. You can see this in posts on the test list. Some of that
>>> may be user error, but it still gets in the way sometimes. Maybe by 
>>> FC4.
>>
>>
>>
>> Most of the posts to the test list about SELinux lately have been about
>> httpd issues (serving from users home directories, cgi scripts, 
>> etc.).  I
>> would argue that the average "desktop" system wouldn't have those 
>> issues.
>>
>> SELinux makes just as much sense on the desktop, because it is another
>> layer of permissions to keep you from making a mistake that will break
>> things.
>>
> I completely agree. Remember that the default policy is "Targeted", 
> which means that it targets controls/apps that allow your pc to share 
> internal info with the outside world. This kind of added protection is 
> always a good thing. It is important to remember that Red Hat made the 
> decision long ago to distribute SE Linux, not Linux. Even if they were 
> to foray into desktop sales again, they would do so with SE Linux, not 
> Linux. It is the future be it server or desktop.
>
> Craig
>
The current SELinux targeted policy is aimed at the server environment, 
or machines that have network connected daemons.  In the future we want 
to bring more of this technology to the Desktop platform.  The question 
we have is how do we do this without being so disruptive that people 
just turn it off.  So for now SELinux is in it's infancy, we are hoping 
that the open source movement embraces this technology and we figure new 
an innovative ways to use it in many different environments.  People are 
already looking at everything for targeted to strict policy.  MLS 
systems are being developed in it.    Investigations are ongoing on 
advancements in X-Windows and SELinux. 

So I would hope that people will work with it and not just turn it off 
as soon as they have a problem
with the system.

More information about the fedora-list mailing list