Request to re-add option to disable SELinux
Suren Karapetyan
surenkarapetyan at gmail.com
Thu Jul 3 18:15:00 UTC 2008
On Wed, 2008-07-02 at 16:10 -0400, Jon Masters wrote:
> Hi folks,
>
> I'd like to see the re-introduction of an option during (or shortly
> after, i.e. during firstboot) installation to disable SELinux, or set it
> to be permissive. My reason for making this request includes:
>
> *). A number of activities are not possible today, with SE Linux enabled
> and enforcing on a default F9 installation. I can give examples -
> downloading an ISO image and expecting to use it in virt-manager,
> creating a virtual machine in a non-standard location, etc.
>
> *). Policy changes will randomly stop things from working that used to
> work. Especially on the Desktop, where many possible code paths (SE
> Linux works by denying until an exception is found and added to the
> policy...requiring all code paths to be exercised) exist to do
> something. I found this last week when VPNC randomly broke.
>
> *). Tools like nautilus do not support labeling of files via the
> right-click properties dialog (gnome VFS, etc.) so there is no easy way
> for an end user who even understands part of this to fix context. This
> is the number one reason why SELinux should not be enabled by default,
> except on systems where there is an admin who can use chcon.
>
> But there are numerous other justifications I could give, including my
> personal belief that it's absolutely nuts to thrust SE Linux upon
> unsuspecting Desktop users (who don't know what it is anyway) without
> giving them the choice to turn it off.
>
> Cheers,
>
> Jon.
>
>
I just can't understand why it was removed.
If the answer is "to make it more secure" maybe we should also set root
fs encryption on by default and remove the checkbox?
It will become more secure...
More information about the devel
mailing list