SELinux Understanding

Antonio Olivares olivares14031 at yahoo.com
Fri Oct 12 21:20:20 UTC 2007


--- Karl Larsen <k5di at zianet.com> wrote:

>     While reading the man selinux I found the part
> that makes me think 
> that this software may not be ready for a desktop
> user. Here it is:
> 
> FILE LABELING
>        All files, directories, devices ... have a
> security context/label 
> asso-
>        ciated with them.  These context are stored
> in the extended  
> attributes
>        of  the  file  system.  Problems with SELinux
> often arise from 
> the file
>        system being mislabeled. This can be caused
> by booting the 
> machine with
>        a  non  selinux kernel.  If you see an error
> message containing 
> file_t,
>        that is usually a good indicator that you
> have a serious  
> problem  with
>        file system labeling.
> 
>        The  best  way  to  relabel  the file system
> is to create the 
> flag file
>        /.autorelabel and reboot. 
> system-config-securitylevel, also  
> has  this
>        capability.   The  restorcon/fixfiles 
> commands  are also 
> available for
>        relabeling files.
> 
> Now I have used some of these ideas today. The list
> suggested and I did. 
> But this stuff is not the kind of thing a person not
> using Linux in 
> business wants to know about.
> 
> Using all these fixes need your computer running and
> up so you can do 
> them. But I guess you could come up in a rescue CD
> and do these commands 
> if you remember them.
> 
> So why would a desktop user ever want to run SELinux

Because it comes with Fedora whether you like it or
not.  You have 3 options, *** this has been stated X
number of times in previous selinux related threads
***

1) run selinux disabled
2) run selinux permissive
3) run selinux targeted.

Option 1 and 2 are what most users that do not like
selinux use in order to continue using Fedora, 

For option 3 to work, you need to work cooperatively
and use setroubleshooter and diagnoze and correct
issues with it.  Report bugs and use it wisely.  It
can be a pain in the glass, but you have to remember
that it is an extra layer of protection, you only have
it there to protect you and not hurt you.  IF it
bothers you, run it in disabled mode or permissive
mode.  

The issue(s) of Selinux here on the list have been
discussed many times, have you not seen many posts
about it.  Why come back to it and create more trouble
for the people on this list?  

Understanding Selinux is very hard, do what
setroubleshooter recommends, if it does not work,
complain and join selinux list and ask for help, if
you do not want to help out fix the problems that you
and others might have, just run it disabled and there
you go.  There are many things in life that are very
hard to understand, please take more time to reflect
on your actions.  

BTW, you are becoming very famous Karl, even on the
Fedora page for PulseAudio the new sound system for
Fedora 8 mentions your name in the 

Usage cases/rationale

http://fedoraproject.org/wiki/Releases/FeaturePulseaudio

Unless it is another Karl then I am sorry for
mentioning it :(

If it is indeed you, then enjoy your moment in the
limelight :)

Regards,

Antonio 


       
____________________________________________________________________________________
Pinpoint customers who are looking for what you sell. 
http://searchmarketing.yahoo.com/




More information about the fedora-list mailing list