Request to re-add option to disable SELinux

Casey Dahlin cdahlin at redhat.com
Thu Jul 3 16:52:06 UTC 2008


Jon Masters wrote:
> Hi folks,
>
> I'd like to see the re-introduction of an option during (or shortly
> after, i.e. during firstboot) installation to disable SELinux, or set it
> to be permissive. My reason for making this request includes:
>
> *). A number of activities are not possible today, with SE Linux enabled
> and enforcing on a default F9 installation. I can give examples -
> downloading an ISO image and expecting to use it in virt-manager,
> creating a virtual machine in a non-standard location, etc.
>
>   

Well we should fix these issues then, shouldn't we?

> *). Policy changes will randomly stop things from working that used to
> work. Especially on the Desktop, where many possible code paths (SE
> Linux works by denying until an exception is found and added to the
> policy...requiring all code paths to be exercised) exist to do
> something. I found this last week when VPNC randomly broke.
>
>   

Yes. This is very true. By the same token, we should stop shipping the 
kernel as well since config changes can break things.

Or we could just do our job and release better updates.

> *). Tools like nautilus do not support labeling of files via the
> right-click properties dialog (gnome VFS, etc.) so there is no easy way
> for an end user who even understands part of this to fix context. This
> is the number one reason why SELinux should not be enabled by default,
> except on systems where there is an admin who can use chcon.
>
>   

Nautilus is deficient in many ways for administration. We can fix all of 
them. Personally I think the first thing to fix in nautilus is the 
"Permission denied" errors when operating as an unprivileged user and 
trying to access files to which you don't have permission. We should be 
offering to elevate the user through policy kit in these situations.

> But there are numerous other justifications I could give, including my
> personal belief that it's absolutely nuts to thrust SE Linux upon
> unsuspecting Desktop users (who don't know what it is anyway) without
> giving them the choice to turn it off.
>
>   

These unsuspecting desktop users who don't know what SELinux is will 
then be able to turn it off and freely run virtual machines to continue 
their clustering simulations and live migration tests.

I have enough civility in me to carry out any discourse politely...once. 
This is about the 950th "SELinux ate my baby, let's turn it off" thread. 
What's supposed to be different THIS time?

--CJD




More information about the devel mailing list