Hi folks,

I'd like to see the re-introduction of an option during (or shortly
after, i.e. during firstboot) installation to disable SELinux, or set it
to be permissive. My reason for making this request includes:

*). A number of activities are not possible today, with SE Linux enabled
and enforcing on a default F9 installation. I can give examples -
downloading an ISO image and expecting to use it in virt-manager,
creating a virtual machine in a non-standard location, etc.

*). Policy changes will randomly stop things from working that used to
work. Especially on the Desktop, where many possible code paths (SE
Linux works by denying until an exception is found and added to the
policy...requiring all code paths to be exercised) exist to do
something. I found this last week when VPNC randomly broke.

*). Tools like nautilus do not support labeling of files via the
right-click properties dialog (gnome VFS, etc.) so there is no easy way
for an end user who even understands part of this to fix context. This
is the number one reason why SELinux should not be enabled by default,
except on systems where there is an admin who can use chcon.

But there are numerous other justifications I could give, including my
personal belief that it's absolutely nuts to thrust SE Linux upon
unsuspecting Desktop users (who don't know what it is anyway) without
giving them the choice to turn it off.

Cheers,

Jon.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Wed, 2008-07-02 at 16:10 -0400, Jon Masters wrote:
>
> But there are numerous other justifications I could give, including my
> personal belief that it's absolutely nuts to thrust SE Linux upon
> unsuspecting Desktop users (who don't know what it is anyway) without
> giving them the choice to turn it off.

If they don't know what it is, how are they supposed to decide to shut
it off or not?

--
Jesse Keating
Fedora -- Freedom² is a feature!
--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Wed, 2008-07-02 at 16:22 -0400, Jesse Keating wrote:
> On Wed, 2008-07-02 at 16:10 -0400, Jon Masters wrote:
> >
> > But there are numerous other justifications I could give, including my
> > personal belief that it's absolutely nuts to thrust SE Linux upon
> > unsuspecting Desktop users (who don't know what it is anyway) without
> > giving them the choice to turn it off.
>
> If they don't know what it is, how are they supposed to decide to shut
> it off or not?

I see your logic Jesse, and I did think about it. But one might also
say, "how about we just force it down their throats because it's good
medicine for them?" I'm concerned that this is what's happening

I think what's needed is a nice little paragraph summarizing what
SELinux is aiming to do, and then the old option of setting permissive
or disabling - users can then set permissive if they prefer to.

Jon.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list