Cargo Cult sysadmining

[Tim]

On Tue, 2012-08-07 at 07:54 -0400, John Aldrich wrote:
> With respect to SELinux... I really have no idea whether it's  
> currently enabled, enabled in "permissive" mode or disabled (I *think*
> it may be in "permissive" mode, but I wouldn't swear to it.) However,
> I got to thinking... it needs to be set up more like an antivirus  
> program, i.e. smart enough to recognize what is there and act  
> accordingly.

Generally speaking, it is.  Warnings are either faults with the rules,
or the applications doing things that they shouldn't, which do get
amended.  Or warnings that you're doing something is wrong on your
computer, and that needs fixing (e.g. you're trying to access files
where you shouldn't - such as webserving from non-standard locations).

I can't say that I've ever had a SELinux alert while trying to do
something normal, such as read a file or write one, in my homespace.

I have seen alerts such as applications wanting carte blanche do
whatever they feel like on the file system, when that's clearly a bad
idea.  So, corrections get made to those programs to not request things
they shouldn't do.  Or modifications to rules to allow some things a bit
more access than default, but not carte blanche.

Usually stupid errors with commonly used applications get discovered and
fixed quite quickly.  It's when users do something less common
that /they/ will probably have to be the one to make a bug report.

-- 
[tim at localhost ~]$ uname -r
2.6.27.25-78.2.56.fc9.i686

Don't send private replies to my address, the mailbox is ignored.  I
read messages from the public lists.