How best get rid of SELinux?

Fri Sep 21 06:43:35 UTC 2007

On Fri, 2007-09-21 at 11:47 +0530, Rahul Sundaram wrote:
> Ralf Corsepius wrote:
> 
> > 
> > If SELinux was transparently working (Which it doesn't on Fedora on many
> > situations), nobody would name it "infection".
> 
> Pretty much every security solution has had a history of such problems.
Well, then better acknowledge these facts and stop reiterating RH's
marketing slogans. 

Many Fedora users, have had encounters/clashes with SELinux, so at least
this group of people knows that SELinux has not matured to a stage that
it is working transparently. We _know_ that SELinux can prevent systems
from operating, no matter what RH marketing wants to tell us.

> I remember back in the days when a firewall used to get very similar 
> complaints and everyone was suggesting just to turn it off instead 
> SELinux is a fundamental security paradigm change. It has taken a lot of 
>   effort to get where we are now.
Only if you consider it to be progress and a sustainable solution. So
far this is not clear yet. History will judge if it really is or not.

Remember iptables and friends. They had to go through several iterations
until they had reached a point most people found them to be in an
acceptable and usable shape. Still you will find many people who switch
firewalls off, on certain situations (I do so on my home network's
clients. My server has them turned on).

> > => This is users complaining about SELinux's usability, based on their
> > personal experiences with the Fedora implementation.
> 
> Atleast on Mike McCarty's case he has no personal experience with it. 
> Users have mixed opinions as always.
> 
> > If SELinux was such an "terrific and compelling approach", upstream
> > Linux and other distros would have adopted it _years ago_ with standing
> > ovations - Fact is: Nobody did.
> > => This is developers and maintainers having doubts on SELinux.
> 
> Sure. Technology changes like this take time. Lilo vs GRUB. Static dev 
> vs udev as other relatively fundamental changes have also taken time for 
> distributions to adopt.
Yes, and whether you want to accept it or not, these steps still are arguable.

> SELinux is indeed upstream and a number of distributions have varying 
> levels of support for it. Both the technology as well as adoption have 
> only been increasing over time.
Right, the art of upstream maintenance is to separate the "junk being
flooded with" from the "really useful things" and to separate 
"temporary warts" from "promising approaches".

This applies esp. to Linux (with competing vendors violently trying to
push _their_ approaches for marketing/political reason) and in
particular to Fedora (which, due to its open nature, contains a lot of
stuff which would deserve to be named "junk ware")

Ralf