SELinux in Fedora Workstation

alex diavatis alexis.diavatis at gmail.com
Thu May 8 23:25:16 UTC 2014 

On Fri, May 9, 2014 at 1:53 AM, Elad Alfassa <elad at fedoraproject.org> wrote:

>
>
>
> On Fri, May 9, 2014 at 1:41 AM, alex diavatis <alexis.diavatis at gmail.com>wrote:
>
>>
>> From what David [1]said "Some underlying infrastructure our games rely
>> on is incompatible with SELinux. We are hoping to correct this."
>> So Steam users should disable SELinux or should stop using Steam, or
>> Valve is going to be full SELinux compatible?
>> There are hundreds ways that an application (un-intentionally) can do
>> nasty exploitations, SELinux un-aware.
>>
>>
>
> FYI,
> Valve fixed their broken code after I (and few other) made a lot of noise
> about it in the issue and on reddit.
> Their code was broken from a security perspective. What they were doing
> could, theoretically, make it much easier for an attacker to get
> unauthorized access to your machine.
> SELinux not only blocked the dangerous practice they were using, but also
> helped us (and them) understand it's dangerous, which prompted a fix which
> increased the security
> of that part of their product, which is a fantastic thing.
> You can read the info linked to in this issue for more technical
> explanations.
>

Yes I read the full bug report. I referred what David said to "prove" that
Valve pretty much don't care about SELinux, it is isn't SELinux compatible.
Except if David meant that Steam is just a security whole, that's why
no-SELinux compatible :)

In this particular report, yes it was a security bug from Valve's side.
What about the rest cases?

Okay, SELinux might be an excellent bug detecting tool, but debugging
should be done from developers, and security should
be on application level.


>
>
> Either way, I think the consensus is that we are not going to
> disable/remove/cripple SELinux on our default offering.
> Users who feel safe disabling OS security features can still do it, but I
> can't say I recommend this to anyone.
>

> SELinux also provides features we really want to make use of in the
> future, namely secured sandboxes - a really useful and important feature.
>

Hey, I'm fine with your answers. I' am not saying disable the SELinux, I
basically asked "why"  you don't disable it..
You explained the why, I am fine :)

Thanks again!

- alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/desktop/attachments/20140509/a14608ed/attachment.html>

More information about the desktop mailing list