SELinux survey (was RE: Stupid F7 boot loop)

Don Russell fedora at drussell.dnsalias.com
Thu Aug 30 15:35:42 UTC 2007 

Andrew Kelly wrote:
> On Wed, 2007-08-29 at 16:04 +0100, Jonathan Allen wrote:
>   
>> On Wed, Aug 29, 2007 at 09:41:19AM -0500, Mikkel L. Ellertson wrote:
>>     
>>> From there you can deside if you want to disable selinux, or relabel
>>> the system so selinux works correctly.
>>>       
>> How is that (easily) done - I haev to admit that now it is running
>> disabled, I'm very much tempted to leave it that way rather then
>> mess about "in flight" so to speak.  Presumably I'll save a little
>> mill time at a fairly minimal risk on a secure system ...
>>
>> Jonathan
>>
>>
>>     
>
> Forgive the invitation to discussion, but....
>
> I personally have immediately disabled SELinux on any and every box I've
> ever installed for myself, and grind my teeth any time I even see the
> word. 
>
> Would any of you out there care to share with me any of your personal
> experiences with SELinux being useful to you (in any way whatsoever), on
> a single-user workstation?
>
> I'm quite willing to admit my ig'nerz on the subject and am open to
> being taught why the functionality is a Good Thing (tm).
>
> Andy
>   

After reading several replies to this thread, I see "I am not alone" ...

I have SELinux turned on, in permissive mode.... everyday I see various 
denial messages in my Logwatch report which I have not yet taken the 
time to figure out. They are cryptic to say the least. But, like so many 
things that appear complex at first glance, it just takes a little 
reading and experimentation. (eg. iptables CLI commands)

At a high level, I understand the concepts of what SELinux is doing.... 
and like the idea, but I have not tried to learn how to use it. I 
suppose if I were feeling a little more brave, I would turn it on in 
"enforcing" mode then fight whichever fires flared up.

However, I have not made the time to do that...my "plan" (and I use the 
term loosely) is to figure it out, eliminate improper error messages 
from my Logwatch reports, and THEN try SELinux in enforcing mode....

That's the theory... in practice, I will probably wait until I have a 
spare box to run another Linux image on, and play with that one more 
aggressively.... :-)

More information about the users mailing list