SELinux

[Tim]

Tim:
>>  I really don't know why people have such grand problems with it.

Kostas Sfakiotakis:
> I could think of a million reasons . For example , let´s just say that
> they don´t have an idea about what mandatory access control is and
> how to live with it .

For the average user, it shouldn't be a problem.  It shouldn't really be
noticeable, unless they're doing something stupid with their computer.

>>  I don't. Not even when I run various servers.

> Well that could be your problem Tim . As you say , u run SERVERS . Servers
> are supposed to do very specific things and not every day stuff.

I have several computers, some are servers, most are clients.  I don't
really have any SELinux problems (beyond the rare fault that's fixed by
a yum update).  The clients don't notice it's there, and there's only a
few things I have to do to allow a server to do its business.

By default, and quite rightly, many servers are turned off and their
activities are disallowed.  If you want to run a server, you should
learn what you're doing, and part of that process is configuring it as
well as understanding the ramifications.

i.e. I don't give a damn for lazy people who want to run a SMTP server,
and not secure it.  Servers that cause wide spread havoc are best left
to those who know what they're doing, and tightened up so much that the
clueless can't run them.

Now, installing some random software from outside of a repo may cause a
SELinux problem.  But then, such software may cause all sorts of
non-SELinux problems.  From the possibility of it being a malicious
program, to it simply having all sorts of dependencies that you're going
to have to handle by hand.

It's certainly in the interests of such software to be written so that
it doesn't fight with SELinux.  Not just because there are computer
systems using it.  But, because, generally, software that gets hit on
the head by SELinux gets hit on the head because it's doing something
that it really shouldn't be doing.  e.g. Expecting to be able to access
any file on the system, or be executable in ways that it shouldn't.

It's been my experience that programmers are far worse than users
regarding security and doing dumb things with computers.  Their attitude
of "I should be able to do anything" is really bad, likewise with their
lack of understanding about why.  It's why we have so much bad software
on some computer systems (generally Windows).

>> I strongly suspect it's because they're doing daft things with their 
>> computer, in the first place, then following bad advice to resolve
>> it.


> Well that´s the issue . I can´t really understand why i can´t do any 
> stupid thing with the computer i have payed for .

Therein lay the problem.  *You*, or others doing the same thing, not
SELinux.

In this internetted world, your use of a computer doesn't just affect
you, it affects other people.  Whether that be you getting trojanned,
spamming people; or not learning about your computer, doing dopey
things, then bogging down a list with "I shot myself in the foot"
support threads.

Granted the last one is the lesser of concerns, but the point was that
what you do is not in isolation to the rest of the world.

> I payed for the computer and not the SELinux development it , an
> agency , a corporation or whatever else . I just want to open my
> computer and do my stupid things and if i mess things up , then so i
> did . It would be my mess and i would be really happy to clean it .
> After all it is my mess and am paying for it ( well the paying part am
> doing either way ) .

Umm, you're making us pay for your mess...

You seem to be ignoring the point that others, who know much more about
it than you, have put a lot of effort into making a system much more
robust (against maliciousness, or stupidity).  I get the feeling that
you're another of those that might go to the doctors, tell him "I hurts
when I do this," and completely ignore his, "well, don't do that,"
advice.



-- 
[tim at localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.