SELinux on Fedora 17 - troubles, troubles, troubles, ...
Gilboa Davara
gilboad at gmail.com
Thu Jul 19 13:23:28 UTC 2012
On Thu, Jul 19, 2012 at 1:11 PM, Mateusz Marzantowicz
<mmarzantowicz at osdf.com.pl> wrote:
> > You do understand that ranting (as opposed to reporting bugs / sending
> > fixes / etc) will get you nowhere, right?
> >
> > - Gilboa
>
> I also do understand that reporting a bug for each problem with selinux
> I encounter in my system isn't going anywhere too. I'd also like to use
> this valuable security mechanism.
>
> My original intention was to ask people on the list how do they deal
> with selinux policy mess in their systems which is obvious, they have in
> their configs after using Fedora for more than a month. Maybe it's about
> finding "the path" or just right management tools which I'm missing.
>
> Currently my knowledge of selinux isn't that big as yours so I couldn't
> simply differentiate between my fault and selinux policy bug. I also
> think that users shouldn't be forced to know that kind of things.
A couple of things.
1. In my experience SELinux maintainers are *VERY* responsive. Most
(if not all) of the SELinux policy bugs that I opened were fixed
within days if not hours.
2. IMO, Given the given the complexity of SELinux and given the huge
amount of different use cases, SELinux will never simply work out of
the box for every single Joe-six-pack with its own unique use case.
(E.g. sharing home via SMB)
Sure, a graphical semanage could do wonders to help regular users, but
in the end, creating a tool that will simply train users to bypass
SELinux errors by clicking next->next->next will simply make it as
redundant (security wise) as Windows' UAC.
In short, if you want the extra protection SELinux is offering, you'll
have to learn to use it, fix it and report informational bugs about
it. No way around it.
- Gilboa
More information about the users
mailing list