Testing Fedora? Please enable SELinux if you can

[Camilo Mesias]

Andrew,

> SELinux is very configurable, and its various protections can be
> turned on and off for each individual case.

That's interesting, I think the last problem I ran into was having to
set a boolean to get Picasa3 to run. This wasn't the whole fix, just
one step. I was under the impression that my choice would affect the
whole system. I would have preferred to make that setting just for
Picasa3 (not even just for Wine). I started a BZ report 527147 once
along similar lines.

In fact I think the ideal user experience would be more along the lines of...

User-> installs Picasa3 using yum and the google testing repo
User-> runs Picasa3
Fedora-> SELinux violation, 'picasa' is trying to mmap_low and this is
a security risk. Please choose
(a) disallow this every time (the safe option)
(b) allow it this time only, ask next time
(c) allow this every time

The user can then make a choice without making wide reaching changes
to security. Bear in mind a user might well try something like this
only to decide to use another program instead (shotwell?) and it would
be a shame to leave behind SELinux config after the program is
uninstalled.

I am quite tempted to reinstall sometime and try the restorecon -R -v
/opt to see if it works, and make a flurry of BZ entries for
everything else SELinux related as I install Spotify and Picasa3.
Everything else works so well in F13 I think there's just a short way
to go to bring SELinux to the same level.

-Cam