Developers of packages please pay attention to selinux labeling.

[Carl Gaudreault]

Pádraig Brady wrote:

>Nobody I know enables SELinux.
>smolt says about half leave it enabled:
>http://smolts.org/static/stats/stats.html
>But I'm guessing a lot of experienced users/devs
>disable it given previous experiences...
 
It's closer to 70% actually, also consider the 18.7% being market as 
"Unknown".
 
>Personally I do momentarily enable to test but always disable
>because of hundreds of errors in the applet thingy.
 
If you have _hundreds_ of errors with SELinux, i'm afraid you are 
exaggerating, using a custom policy or you might have a serious labeling issue 
:
 
touch /.autorelabel
reboot
 
My system is running as staff_u, and i don't remember reporting more than 20-30 
AVCs over now almost a year. If you think it might be an issue with the 
policy, you should report those bugs into RHBZ.
 
>Enabling in non enforcing mode causes a huge performance hit,
>causing for example the "do you want to kill" dialog to pop up
>when I try to quit firefox.
 
Can you measure the *huge* performance hit, i would be interested to see your 
numbers. As far as i'm aware, the performance hit of SELinux is around 5-7%.
 
>But I'm guessing a lot of experienced users/devs
>disable it given previous experiences...
 
Well, they should reconsider their decision and just take a look at how many 
user space tools are available to make their life easier.
 
The FUD about SELinux need to stop.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: This is a digitally signed message part.
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20100713/73519029/attachment.bin