Selinux

[Bill Davidsen]

Bruno Wolff III wrote:
> On Sat, Nov 29, 2008 at 20:41:51 -0500,
>   Tom Horsley <tom.horsley at att.net> wrote:
>> So why isn't it much simpler and less trouble to just turn off
>> selinux in the first place? I get the same level of security in the
>> end, and much less hassle in the meantime :-).
> 
> Because you can still leave it protecting other processes on the system
> by either using pemissive domains or using audit2allow to generate rules
> you can use to add a new policy module.
> 
> What would be really nice is if people reported these issues to bugzilla
> instead of or in addition to griping about them here. Then either the app
> or the policy could be fixed for everyone else.
> 
Sorry, I assume that the QA process includes someone actually installing the 
application and seeing that it works. I would rather see things sit in 
updates-testing until someone is willing to sign off that they actually have 
been at least smoke tested?

It doesn't need to be some maintainer who does that, anyone who is going to use 
the package can take a moment to do the sign off, assuming that there's a 
process to identify people as capable of installing a package with selinux 
enabled (lots of folks), and willing to do so (still hopefully a non-empty set).

If Fedora is going to ship with SElinux enabled, it also should be working. I 
keep one fully patched VM for testing things, just create a qcow clone and and 
run the test. Great for opening those web sites which may be useful or may have 
evil, among other things.

-- 
Bill Davidsen <davidsen at tmr.com>
   "We have more to fear from the bungling of the incompetent than from
the machinations of the wicked."  - from Slashdot