SELinux Understanding

Karl Larsen k5di at zianet.com
Fri Oct 12 21:31:44 UTC 2007 

Antonio Olivares wrote:
> --- Karl Larsen <k5di at zianet.com> wrote:
>
>   
>>     While reading the man selinux I found the part
>> that makes me think 
>> that this software may not be ready for a desktop
>> user. Here it is:
>>
>> FILE LABELING
>>        All files, directories, devices ... have a
>> security context/label 
>> asso-
>>        ciated with them.  These context are stored
>> in the extended  
>> attributes
>>        of  the  file  system.  Problems with SELinux
>> often arise from 
>> the file
>>        system being mislabeled. This can be caused
>> by booting the 
>> machine with
>>        a  non  selinux kernel.  If you see an error
>> message containing 
>> file_t,
>>        that is usually a good indicator that you
>> have a serious  
>> problem  with
>>        file system labeling.
>>
>>        The  best  way  to  relabel  the file system
>> is to create the 
>> flag file
>>        /.autorelabel and reboot. 
>> system-config-securitylevel, also  
>> has  this
>>        capability.   The  restorcon/fixfiles 
>> commands  are also 
>> available for
>>        relabeling files.
>>
>> Now I have used some of these ideas today. The list
>> suggested and I did. 
>> But this stuff is not the kind of thing a person not
>> using Linux in 
>> business wants to know about.
>>
>> Using all these fixes need your computer running and
>> up so you can do 
>> them. But I guess you could come up in a rescue CD
>> and do these commands 
>> if you remember them.
>>
>> So why would a desktop user ever want to run SELinux
>>     
>
> Because it comes with Fedora whether you like it or
> not.  You have 3 options, *** this has been stated X
> number of times in previous selinux related threads
> ***
>
> 1) run selinux disabled
> 2) run selinux permissive
> 3) run selinux targeted.
>
> Option 1 and 2 are what most users that do not like
> selinux use in order to continue using Fedora, 
>
> For option 3 to work, you need to work cooperatively
> and use setroubleshooter and diagnoze and correct
> issues with it.  Report bugs and use it wisely.  It
> can be a pain in the glass, but you have to remember
> that it is an extra layer of protection, you only have
> it there to protect you and not hurt you.  IF it
> bothers you, run it in disabled mode or permissive
> mode.  
>
> The issue(s) of Selinux here on the list have been
> discussed many times, have you not seen many posts
> about it.  Why come back to it and create more trouble
> for the people on this list?  
>
> Understanding Selinux is very hard, do what
> setroubleshooter recommends, if it does not work,
> complain and join selinux list and ask for help, if
> you do not want to help out fix the problems that you
> and others might have, just run it disabled and there
> you go.  There are many things in life that are very
> hard to understand, please take more time to reflect
> on your actions.  
>
> BTW, you are becoming very famous Karl, even on the
> Fedora page for PulseAudio the new sound system for
> Fedora 8 mentions your name in the 
>
> Usage cases/rationale
>
> http://fedoraproject.org/wiki/Releases/FeaturePulseaudio
>
> Unless it is another Karl then I am sorry for
> mentioning it :(
>
> If it is indeed you, then enjoy your moment in the
> limelight :)
>
> Regards,
>
> Antonio 
>
>
>        
> ____________________________________________________________________________________
> Pinpoint customers who are looking for what you sell. 
> http://searchmarketing.yahoo.com/
>
>   
    No that is another person with the name Karl either first middle or 
last. I do all that stuff with VLC.



-- 

	Karl F. Larsen, AKA K5DI
	Linux User
	#450462   http://counter.li.org.

More information about the fedora-list mailing list