Keeping SELinux on (was Attention: Proprietary video driver users (ATI, Nvidia, etc.))
Lamont R. Peterson
lamont at gurulabs.com
Thu Feb 23 17:19:15 UTC 2006
On Thursday 23 February 2006 07:34am, Jeff Spaleta wrote:
> On 2/23/06, Rudolf Kastl <che666 at gmail.com> wrote:
> > thats definitely a worst case scenario ;)
>
> And sadly the most likely one, until there are some end-user oriented
> notifications from the system which explain what is going on and why,
> when an selinux related denial happens. Having to keep a running tail
> of /var/log/messages open and learning how to decipher the avc
> messages while using vendor installers is a hurdle an order of
> magnitude too large for normal home users who don't understand the
> underlying issues. And sadly, reaching out to other users tends to
> get you blanket "turn off" selinux answers. There is a steep learning
> curve associated with selinux denials, and unless the fedora system
> makes an attempt to point users to granular tools as the denials occur
> the re-education effort is going to be hamstrung.
By no means is this limited to home users. I would say that the *vast*
majority of corporate admins just turn off SELinux. The story behind how &
why they learned to do that to begin with only vary in details. It's almost
always, "I had problems installing X or doing Y and I found a document on the
Internet that said that SELinux was in the way and didn't work right anyway
and was too complicated and didn't do me any good and that I couldn't learn
enough about it to even understand what was happening, let alone deal with
it, in less than a month and ... well, so I just turn off SELinux and then I
don't have to deal with it."
I teach Linux for a living. I teach Red Hat's courses and hear this story in
almost every class taught. Students even ask me if they'll have to do
SELinux in the RHCT/RHCE exams, and then cringe in anticipation that I'll
reply, "Yes.". Of course, the only answer I can give is "I don't know; if
it's in the book it could be on the exam." ;)
You're right, there needs to be a buffer that makes SELinux troubleshooting
and education less intimidating if we want end-users to keep SELinux enabled.
I tell students in my classes that SELinux *is* intimidating and that they
are not going to learn enough about it to write their own policy. But that
they will learn enough to understand why SELinux is important and valuable
and to be able to identify and fix the most common problems (missing labels,
booleans that need flipping, etc.) so that they can keep their SELinux
enabled systems running smoothly and that it's not as hard as they think.
I also think that application developers need to think about SELinux when
writing code. If they also helped (that's "helped", not "did all the work")
in producing policy for their own app(s), it just might not "get in the way".
This might be a pipe dream today; but, I remain hopeful.
--
Lamont R. Peterson <lamont at gurulabs.com>
Senior Instructor
Guru Labs, L.C. [ http://www.GuruLabs.com/ ]
GPG Key fingerprint: F98C E31A 5C4C 834A BCAB 8CB3 F980 6C97 DC0D D409
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20060223/32783c43/attachment-0002.bin
More information about the devel
mailing list