Hi,
After I install F14 (KDE), how should I disable SeLinux? Because more of the time it gives alerts and it is highly technical in nature to understand the SeLinux (for a normal person, not from computers).
On 01/22/2011 11:03 AM, Parshwa Murdia wrote:
After I install F14 (KDE), how should I disable SeLinux? Because more of the time it gives alerts and it is highly technical in nature to understand the SeLinux (for a normal person, not from computers).
Hi,
No, you shouldn't disable it. It's really another security layer on your system. I know the messages may sound highly technical but usually (if you're running the latest Fedora) you're given advice on how to solve the issue with a couple of choices ...and I know you may not have a clue on what's the best way to fix the issue (out of the proposed solutions) but then, you can always post the warnings here and some folks would try to help you out.
-- Jorge
On 01/22/2011 10:03 AM, Parshwa Murdia wrote:
Hi,
After I install F14 (KDE), how should I disable SeLinux? Because more of the time it gives alerts and it is highly technical in nature to understand the SeLinux (for a normal person, not from computers).
Try permissive mode. Fixes for alerts are suggested by alert details (you have to be root to try them). The fixes are straightforward to try but they haven't always worked for me. Permissive mode lets processes happen but tells you when SElinux thinks something might be wrong.
On 22Jan2011 16:03, Parshwa Murdia b330bkn@gmail.com wrote: | After I install F14 (KDE), how should I disable SeLinux? Because more | of the time it gives alerts and it is highly technical in nature to | understand the SeLinux (for a normal person, not from computers).
The boot time defaults are in the file /etc/sysconfig/selinux. The current status is reported by the command "sestatus". You can change it on the fly with the "setenforce" command. See their manual pages for details ("man sestatus", "man setenforce"). Of course their manual pages do not mention each other :-(
On Saturday 22 January 2011 15:03:46 Parshwa Murdia wrote:
After I install F14 (KDE), how should I disable SeLinux? Because more of the time it gives alerts and it is highly technical in nature to understand the SeLinux (for a normal person, not from computers).
No you should not disable it. It is there to protect your system, and if you are not a technical person, leave it as it is and don't mess with it.
Also, if you are using your computer just for ordinary desktop stuff, you should never see any alerts.
You might provoke alerts if you are setting up servers or custom 3rd party software or messing around the filesystem with root privileges. However, in all those circumstances you are expected to be a non-beginner, to know what you are doing, and to be able to resolve any SELinux alerts as they come (or ask someone for help). Otherwise SELinux should Just Work (tm), and you should not see any issues with it.
HTH, :-) Marko
Am 2011-01-22 22:20, schrieb Marko Vojinovic:
On Saturday 22 January 2011 15:03:46 Parshwa Murdia wrote:
After I install F14 (KDE), how should I disable SeLinux? Because more of the time it gives alerts and it is highly technical in nature to understand the SeLinux (for a normal person, not from computers).
No you should not disable it. It is there to protect your system, and if you are not a technical person, leave it as it is and don't mess with it.
Also, if you are using your computer just for ordinary desktop stuff, you should never see any alerts.
You might provoke alerts if you are setting up servers or custom 3rd party software or messing around the filesystem with root privileges. However, in all those circumstances you are expected to be a non-beginner, to know what you are doing, and to be able to resolve any SELinux alerts as they come (or ask someone for help). Otherwise SELinux should Just Work (tm), and you should not see any issues with it.
HTH, :-) Marko
I do wonder though - lots of distros don't use SELinux. Do they (say, Debian) use something else instead? Meaning: can I assume that if I disable SELinux and install I don't gufw or somethign equally simple that Fedora will be less secure than before but still just as safe as the next distro?
greetings, peter
On 01/22/2011 05:53 PM, peter_someone wrote:
Am 2011-01-22 22:20, schrieb Marko Vojinovic:
On Saturday 22 January 2011 15:03:46 Parshwa Murdia wrote:
After I install F14 (KDE), how should I disable SeLinux? Because more of the time it gives alerts and it is highly technical in nature to understand the SeLinux (for a normal person, not from computers).
No you should not disable it. It is there to protect your system, and if you are not a technical person, leave it as it is and don't mess with it.
Also, if you are using your computer just for ordinary desktop stuff, you should never see any alerts.
You might provoke alerts if you are setting up servers or custom 3rd party software or messing around the filesystem with root privileges. However, in all those circumstances you are expected to be a non-beginner, to know what you are doing, and to be able to resolve any SELinux alerts as they come (or ask someone for help). Otherwise SELinux should Just Work (tm), and you should not see any issues with it.
HTH, :-) Marko
I do wonder though - lots of distros don't use SELinux. Do they (say, Debian) use something else instead? Meaning: can I assume that if I disable SELinux and install I don't gufw or somethign equally simple that Fedora will be less secure than before but still just as safe as the next distro?
greetings, peter
I wouldn't.
If you are getting alerts, try the SELinux management tool. Better to allow those things that you are sure are safe for you to do, than to disable SELinux entirely.
When Fedora first offered SELinux, its management was clunky. Today it is seamless, or nearly so.
Actually, you should address your questions to the Fedora SELinux list. They take questions of this kind all the time. They'll ask you to specify what, exactly, you were doing, and the nature of the alert. Then they'll tell you how to work around it. (Though quite often they'll ask you why you are using some apparently misbehaved software.)
Understand this: security is all about whom do you trust, and what with, and how far.
Understand this also: the developers of That Other OS seem to know nothing about security, and that's why their OS is so vulnerable that one hears of at least one breach a month.
Take control of your system. A lot of folks here are ready to help you out. And Fedora's developers want to know the kinds of issues you're running into. If they didn't, then SELinux might have been abandoned long ago--but it has survived no less than twelve iterations. But they won't know unless you tell them--and "how do I disable such-a-thing" is not telling them; that's avoiding the issue. In this community, we face issues squarely, so that we have lasting solutions.
Temlakos
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 01/22/2011 09:03 AM, Parshwa Murdia wrote:
Hi,
After I install F14 (KDE), how should I disable SeLinux? Because more of the time it gives alerts and it is highly technical in nature to understand the SeLinux (for a normal person, not from computers).
See the SELinux for Mere Mortals presentation Dan Walsh and I did at https://access.redhat.com/knowledge/videos/ - the slide deck is also at http://people.redhat.com/tcameron
TC
Am 2011-01-23 00:12, schrieb Temlakos:
On 01/22/2011 05:53 PM, peter_someone wrote:
Am 2011-01-22 22:20, schrieb Marko Vojinovic:
On Saturday 22 January 2011 15:03:46 Parshwa Murdia wrote:
After I install F14 (KDE), how should I disable SeLinux? Because more of the time it gives alerts and it is highly technical in nature to understand the SeLinux (for a normal person, not from computers).
No you should not disable it. It is there to protect your system, and if you are not a technical person, leave it as it is and don't mess with it.
Also, if you are using your computer just for ordinary desktop stuff, you should never see any alerts.
You might provoke alerts if you are setting up servers or custom 3rd party software or messing around the filesystem with root privileges. However, in all those circumstances you are expected to be a non-beginner, to know what you are doing, and to be able to resolve any SELinux alerts as they come (or ask someone for help). Otherwise SELinux should Just Work (tm), and you should not see any issues with it.
HTH, :-) Marko
I do wonder though - lots of distros don't use SELinux. Do they (say, Debian) use something else instead? Meaning: can I assume that if I disable SELinux and install I don't gufw or somethign equally simple that Fedora will be less secure than before but still just as safe as the next distro?
greetings, peter
I wouldn't.
If you are getting alerts, try the SELinux management tool. Better to allow those things that you are sure are safe for you to do, than to disable SELinux entirely.
When Fedora first offered SELinux, its management was clunky. Today it is seamless, or nearly so.
Actually, you should address your questions to the Fedora SELinux list. They take questions of this kind all the time. They'll ask you to specify what, exactly, you were doing, and the nature of the alert. Then they'll tell you how to work around it. (Though quite often they'll ask you why you are using some apparently misbehaved software.)
Understand this: security is all about whom do you trust, and what with, and how far.
Understand this also: the developers of That Other OS seem to know nothing about security, and that's why their OS is so vulnerable that one hears of at least one breach a month.
Take control of your system. A lot of folks here are ready to help you out. And Fedora's developers want to know the kinds of issues you're running into. If they didn't, then SELinux might have been abandoned long ago--but it has survived no less than twelve iterations. But they won't know unless you tell them--and "how do I disable such-a-thing" is not telling them; that's avoiding the issue. In this community, we face issues squarely, so that we have lasting solutions.
Temlakos
Personally, I have no interest in disabling it anyway - i don't get alerts and have no problem otherwise. It was just a purely hypothetical question because I wonder how if SELinux is so essential most of the biggest linux-distros seem to completely neglect that fact.....
Peter
On Saturday 22 January 2011 22:53:26 peter_someone wrote:
Am 2011-01-22 22:20, schrieb Marko Vojinovic:
On Saturday 22 January 2011 15:03:46 Parshwa Murdia wrote:
After I install F14 (KDE), how should I disable SeLinux? Because more of the time it gives alerts and it is highly technical in nature to understand the SeLinux (for a normal person, not from computers).
No you should not disable it. It is there to protect your system, and if you are not a technical person, leave it as it is and don't mess with it.
I do wonder though - lots of distros don't use SELinux. Do they (say, Debian) use something else instead? Meaning: can I assume that if I disable SELinux and install I don't gufw or somethign equally simple that Fedora will be less secure than before but still just as safe as the next distro?
Sorry, I didn't understand, what do you mean by "I don't gufw"?
As for other distros, they are just reluctant to enable SELinux by default, I guess because they still don't have a well developed policy to use for enforced mode. Fedora has been actively developing the policy since FC2, ie. over 6 years now. I don't know if the policy can be easily shared across different distros.
The alternative software is/was AppArmor, developed mainly by SuSE people (AFAIK), but recently Novell decided to "reduce" the number of people working on it (down to a one-man team, IIRC), and the former team leader went to work for Microsoft (!!!). You can read about it on the blog news, google them up.
SuSE is now also offering a kernel with SELinux built in but disabled by default. Users who wish to try it out can enable it and create their own policy.
Also, AFAIK, Ubuntu has been offering SELinux support for some time now, although it is also disabled by default.
RHEL, and clones like CentOS and ScientificLinux have SELinux enabled and running by default, using the policy derived from Fedora.
I wouldn't know about other distros.
In general, it seems that SELinux is slowly getting adopted by many, if not all distros. And yes, I would say that distros which don't have SELinux in enforcing mode by default are indeed less secure than Fedora. So to answer your question, if you disable SELinux in Fedora, it will be as secure as any distro that doesn't use SELinux, which is *less* secure than with SELinux active.
HTH, :-) Marko
Am 2011-01-23 02:16, schrieb Marko Vojinovic:
On Saturday 22 January 2011 22:53:26 peter_someone wrote:
Am 2011-01-22 22:20, schrieb Marko Vojinovic:
On Saturday 22 January 2011 15:03:46 Parshwa Murdia wrote:
After I install F14 (KDE), how should I disable SeLinux? Because more of the time it gives alerts and it is highly technical in nature to understand the SeLinux (for a normal person, not from computers).
No you should not disable it. It is there to protect your system, and if you are not a technical person, leave it as it is and don't mess with it.
I do wonder though - lots of distros don't use SELinux. Do they (say, Debian) use something else instead? Meaning: can I assume that if I disable SELinux and install I don't gufw or somethign equally simple that Fedora will be less secure than before but still just as safe as the next distro?
Sorry, I didn't understand, what do you mean by "I don't gufw"?
As for other distros, they are just reluctant to enable SELinux by default, I guess because they still don't have a well developed policy to use for enforced mode. Fedora has been actively developing the policy since FC2, ie. over 6 years now. I don't know if the policy can be easily shared across different distros.
The alternative software is/was AppArmor, developed mainly by SuSE people (AFAIK), but recently Novell decided to "reduce" the number of people working on it (down to a one-man team, IIRC), and the former team leader went to work for Microsoft (!!!). You can read about it on the blog news, google them up.
SuSE is now also offering a kernel with SELinux built in but disabled by default. Users who wish to try it out can enable it and create their own policy.
Also, AFAIK, Ubuntu has been offering SELinux support for some time now, although it is also disabled by default.
RHEL, and clones like CentOS and ScientificLinux have SELinux enabled and running by default, using the policy derived from Fedora.
I wouldn't know about other distros.
In general, it seems that SELinux is slowly getting adopted by many, if not all distros. And yes, I would say that distros which don't have SELinux in enforcing mode by default are indeed less secure than Fedora. So to answer your question, if you disable SELinux in Fedora, it will be as secure as any distro that doesn't use SELinux, which is *less* secure than with SELinux active.
HTH, :-) Marko
Thanks man - THAT'S what I wanted to know :)
On Sun, 2011-01-23 at 01:16 +0000, Marko Vojinovic wrote:
In general, it seems that SELinux is slowly getting adopted by many, if not all distros. And yes, I would say that distros which don't have SELinux in enforcing mode by default are indeed less secure than Fedora. So to answer your question, if you disable SELinux in Fedora, it will be as secure as any distro that doesn't use SELinux, which is *less* secure than with SELinux active.
There seems to be this paranoia about SELinux being developed by the NSA, so they're afraid what they may be able to do to you. Disregarding the fact that if you were to not have SELinux, they'd still be able to do whatever they could do, probably even more so. :-p
On Sun, Jan 23, 2011 at 4:06 AM, Tim ignored_mailbox@yahoo.com.au wrote:
On Sun, 2011-01-23 at 01:16 +0000, Marko Vojinovic wrote:
In general, it seems that SELinux is slowly getting adopted by many, if not all distros. And yes, I would say that distros which don't have SELinux in enforcing mode by default are indeed less secure than Fedora. So to answer your question, if you disable SELinux in Fedora, it will be as secure as any distro that doesn't use SELinux, which is *less* secure than with SELinux active.
There seems to be this paranoia about SELinux being developed by the NSA, so they're afraid what they may be able to do to you. Disregarding the fact that if you were to not have SELinux, they'd still be able to do whatever they could do, probably even more so. :-p
Now at least there is a chance of getting "NSA alerts" from sealert. ;)
-- [tim@localhost ~]$ uname -r 2.6.27.25-78.2.56.fc9.i686
Parshwa Murdia <b330bkn <at> gmail.com> writes:
Hi,
After I install F14 (KDE), how should I disable SeLinux? Because more of the time it gives alerts and it is highly technical in nature to understand the SeLinux (for a normal person, not from computers).
SELinux is a dangerous software, by its faulty design, and thus more so in the context of security, which is supposed to provide.
Try this: # yum remove "*selinux*"
Now, what are you going to do when a hacker roots your machine with SELinex enabled (in enforcing mode) and infects SELinux so that it can not be disabled ?
You would have to nuke your entire system to get it disinfected :-)
I look forward to that day ...
JB
On Sun, Jan 23, 2011 at 11:29 AM, JB jb.1234abcd@gmail.com wrote:
SELinux is a dangerous software, by its faulty design, and thus more so in the context of security, which is supposed to provide.
It is faulty or not I don't know, but at least, I can say that it should dangerous software. Why don't there is an option like, if you wish you can enable SELinux, might be other distros having (I don't have idea).
On 01/23/2011 08:44 AM, Parshwa Murdia wrote:
On Sun, Jan 23, 2011 at 11:29 AM, JBjb.1234abcd@gmail.com wrote:
SELinux is a dangerous software, by its faulty design, and thus more so in the context of security, which is supposed to provide.
It is faulty or not I don't know, but at least, I can say that it should dangerous software. Why don't there is an option like, if you wish you can enable SELinux, might be other distros having (I don't have idea).
Please note that the OP gave no evidence or reasons to back up his assertion that SELinux's design is faulty. Extraordinary claims need extraordinary evidence and, until it's offered, this is just Argument By Assertion and can be dismissed as FUD.
On Sun, Jan 23, 2011 at 5:50 PM, Joe Zeff joe@zeff.us wrote:
Please note that the OP gave no evidence or reasons to back up his assertion that SELinux's design is faulty.
See back you said it faulty!
Extraordinary claims need extraordinary evidence
Correct phrase.
and, until it's offered, this is just Argument By Assertion and can be dismissed as FUD.
No idea.
On Saturday, January 22, 2011, Thomas Cameron wrote:
See the SELinux for Mere Mortals presentation Dan Walsh and I did at https://access.redhat.com/knowledge/videos/
appears to be for Redhat customers only and requires a login
On Fri, Jan 28, 2011 at 8:48 AM, Claude Jones cjoneslists@tehogeeservices.com wrote:
On Saturday, January 22, 2011, Thomas Cameron wrote:
See the SELinux for Mere Mortals presentation Dan Walsh and I
appears to be for Redhat customers only and requires a login
--
Claude Jones
Brunswick, MD, USA
A Google search for "SELinux for Mere Mortals" ought to give you a couple places from which you can download it.
On 01/28/2011 09:11 AM, Ted Roche wrote:
A Google search for "SELinux for Mere Mortals" ought to give you a couple places from which you can download it.
I tried but gave up after a few pages. Hits were divided between newsgroup mirrors of the Fedora list with this discussion, and links to the .pdf of that presentation. I tried reading the slides but it became quickly obvious that the video would probably be a lot more useful...
Claude Jones cjoneslists@tehogeeservices.com writes:
On 01/28/2011 09:11 AM, Ted Roche wrote:
A Google search for "SELinux for Mere Mortals" ought to give you a couple places from which you can download it.
I tried but gave up after a few pages. Hits were divided between newsgroup mirrors of the Fedora list with this discussion, and links to the .pdf of that presentation. I tried reading the slides but it became quickly obvious that the video would probably be a lot more useful...
This link looks promising. Audio only.
http://www.archive.org/details/Txlf-SelinuxForMereMortals
-wolfgang
-
Cameron Simpson -
Claude Jones -
Elliott Chapin -
JB -
Joe Zeff -
Jorge Fábregas -
Marko Vojinovic -
Parshwa Murdia -
peter_someone -
Suvayu Ali -
Ted Roche -
Temlakos -
thomas cameron -
Tim -
Wolfgang S. Rupprecht