SElinux
Paul Howarth
paul at city-fan.org
Sat Apr 8 16:08:10 UTC 2006
On Sat, 2006-04-08 at 10:55 -0500, Robert Nichols wrote:
> Bruno Wolff III wrote:
> > On Tue, Apr 04, 2006 at 15:57:30 -0500,
> > Robert Nichols <rnicholsNOSPAM at comcast.net> wrote:
> >
> >>Of course, anyone who wishes to continue being a beta tester for a
> >>highly complex security package suitable mainly for servers or
> >>dedicated machines performing a narrow set of well-defined functions
> >>is welcome to do so.
> >
> >
> > SELinux has value on Desktops, at least to some people. I would really like to
> > be able to run programs that don't have the same access to resources (in
> > particular network connections) that I do. I know longer trust software
> > venders not to bad stuff in their software, at least for things targetted
> > at consumers. Things are likely to get worse in this regard in the near
> > future.
>
> Actually, I agree with you completely. I've just found SELinux too
> painful to use. I fought with it a long time in FC-3, almost had it
> working, but never managed to get permissive mode to stay quiet long
> enough to let me go to enforcing mode. I looked at SELinux in FC-4
> to see what might have changed, but I never really did much with FC-4.
> Now I see that in FC-5 so much has changed that absolutely nothing
> that I learned how to do in FC-3 applies any more. I'd be starting
> from scratch again. Sorry, BTDT. Sure, there are programs I'd like
> to confine, but SELinux just isn't a feasable way to do that unless
> you have an SELinux guru on call to set up and maintain your system.
It's actually easier to fix things in FC5:
http://fedoraproject.org/wiki/SELinux/LoadableModules/Audit2allow
There's also a decent reference guide that's FC5-specific:
http://fedora.redhat.com/docs/selinux-faq-fc5/
And there's lots of SELinux-related stuff on the fedora wiki:
http://fedoraproject.org/wiki/Bugs/FC5Common?action=fullsearch&value=selinux&titlesearch=Titles
Paul.
More information about the fedora-list
mailing list