Ed Swierk wrote:
On 1/3/08, Andrew Farris lordmorgul@gmail.com wrote:
As the policies improve selinux will become hardly more complicated for general use as chmod itself is... proper policy + proper label = just works. Obviously both of those need to be in place and are in progress; so disable it when you must now but if you just ignore it long term its to your detriment. Set it permissive at minimum and keep the denial log messages for additional security review if/when you really need it. And finally, the ability to disable it is in the distro precisely so that you can (so why the rant? you want to be forced to enable it instead? you feel everyone should install without it enabled by default forever and ever? you feel that selinux should disable itself when you get denials that prevent you doing what you want? uhm that won't do).
No, no and no. Dimi raised the issue of gauging the usability of SELinux, and the only point of my rant was to convey the experience that led me to disable it.
--Ed
Ok I understand then, however I'd just comment that as a gauge of usability I think your situation (moving configurations across platforms, from no selinux to selinux) is somewhat of a fringe case. I realize that MANY admins would be doing just that in the process of adopting selinux since rewriting configurations is a major pain, but its still something that can almost be expected to cause headache (and requires labeling). Just my 2c on usability, it still seems to work best when you start out from install with selinux enabled and avoid deliberately circumventing it.
Would you say that documentation on that specific issue (migrating configurations) needs more attention?
The big thing is any file moved has to get labeled. Your openvpn issue looks like it might be a real policy problem.