SELinux Understanding
Karl Larsen
k5di at zianet.com
Fri Oct 12 21:31:44 UTC 2007
Antonio Olivares wrote:
> --- Karl Larsen <k5di at zianet.com> wrote:
>
>
>> While reading the man selinux I found the part
>> that makes me think
>> that this software may not be ready for a desktop
>> user. Here it is:
>>
>> FILE LABELING
>> All files, directories, devices ... have a
>> security context/label
>> asso-
>> ciated with them. These context are stored
>> in the extended
>> attributes
>> of the file system. Problems with SELinux
>> often arise from
>> the file
>> system being mislabeled. This can be caused
>> by booting the
>> machine with
>> a non selinux kernel. If you see an error
>> message containing
>> file_t,
>> that is usually a good indicator that you
>> have a serious
>> problem with
>> file system labeling.
>>
>> The best way to relabel the file system
>> is to create the
>> flag file
>> /.autorelabel and reboot.
>> system-config-securitylevel, also
>> has this
>> capability. The restorcon/fixfiles
>> commands are also
>> available for
>> relabeling files.
>>
>> Now I have used some of these ideas today. The list
>> suggested and I did.
>> But this stuff is not the kind of thing a person not
>> using Linux in
>> business wants to know about.
>>
>> Using all these fixes need your computer running and
>> up so you can do
>> them. But I guess you could come up in a rescue CD
>> and do these commands
>> if you remember them.
>>
>> So why would a desktop user ever want to run SELinux
>>
>
> Because it comes with Fedora whether you like it or
> not. You have 3 options, *** this has been stated X
> number of times in previous selinux related threads
> ***
>
> 1) run selinux disabled
> 2) run selinux permissive
> 3) run selinux targeted.
>
> Option 1 and 2 are what most users that do not like
> selinux use in order to continue using Fedora,
>
> For option 3 to work, you need to work cooperatively
> and use setroubleshooter and diagnoze and correct
> issues with it. Report bugs and use it wisely. It
> can be a pain in the glass, but you have to remember
> that it is an extra layer of protection, you only have
> it there to protect you and not hurt you. IF it
> bothers you, run it in disabled mode or permissive
> mode.
>
> The issue(s) of Selinux here on the list have been
> discussed many times, have you not seen many posts
> about it. Why come back to it and create more trouble
> for the people on this list?
>
> Understanding Selinux is very hard, do what
> setroubleshooter recommends, if it does not work,
> complain and join selinux list and ask for help, if
> you do not want to help out fix the problems that you
> and others might have, just run it disabled and there
> you go. There are many things in life that are very
> hard to understand, please take more time to reflect
> on your actions.
>
> BTW, you are becoming very famous Karl, even on the
> Fedora page for PulseAudio the new sound system for
> Fedora 8 mentions your name in the
>
> Usage cases/rationale
>
> http://fedoraproject.org/wiki/Releases/FeaturePulseaudio
>
> Unless it is another Karl then I am sorry for
> mentioning it :(
>
> If it is indeed you, then enjoy your moment in the
> limelight :)
>
> Regards,
>
> Antonio
>
>
>
> ____________________________________________________________________________________
> Pinpoint customers who are looking for what you sell.
> http://searchmarketing.yahoo.com/
>
>
No that is another person with the name Karl either first middle or
last. I do all that stuff with VLC.
--
Karl F. Larsen, AKA K5DI
Linux User
#450462 http://counter.li.org.
More information about the fedora-list
mailing list