FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 07-02-2008, 08:58 PM
"Colin Walters"
 
Default Request to re-add option to disable SELinux

On Wed, Jul 2, 2008 at 4:46 PM, Jon Masters <jonathan@jonmasters.org> wrote:

On Wed, 2008-07-02 at 16:28 -0400, Colin Walters wrote:



> Yeah, we're trying to make installing Fedora not be a Choose Your Own

> Linux Adventure game.



I agree (partially) with that sentiment. Though it can obviously go way

too far with the aim of making life "easier" during a 10 minute install.

I don't think we can go too far in cutting out the crap from the install process for desktops.* The target audience is (or should be) people who have *more important things* to do with their time than play Build My Own Linux.* They hit "Next" on the partitioning screens, firewall, etc.


If our defaults are broken, we should acknowledge that as a bug instead of foisting the choice onto our users.



> Either the SELinux policy works well enough that it is enabled by

> default and supported, or it's not.



If it were really black and white like that, then I'd have to argue for

SELinux to be disabled by default on new Fedora installs and have users

go into the system config dialog to turn it back on. After all, if

you're going to use the following argument:

Yes, I think what you should be arguing is that it should be permissive or disabled by default.*
*
I'm not sure I would agree with that argument personally given that I see little hope for any other extended security system (e.g. AppArmor is architecturally broken).


There are plenty of other possible choices besides just enabling by default or disabling:

o Default rawhide installs to permissive
o Create a system that automatically sends denials back to Fedora and treat them like crashes

o Tune down the default policy to move more things back into unconfined_t, and focus more strongly on vulnerable network servers like Samba, Apache etc.
o Actually have a regression test suite for Fedora and run updates through it


etc.



--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-02-2008, 09:09 PM
Alan Cox
 
Default Request to re-add option to disable SELinux

On Wed, Jul 02, 2008 at 04:22:21PM -0400, Jesse Keating wrote:
> On Wed, 2008-07-02 at 16:10 -0400, Jon Masters wrote:
> >
> > But there are numerous other justifications I could give, including my
> > personal belief that it's absolutely nuts to thrust SE Linux upon
> > unsuspecting Desktop users (who don't know what it is anyway) without
> > giving them the choice to turn it off.
>
> If they don't know what it is, how are they supposed to decide to shut
> it off or not?

Knowing what it is isn't sufficient - they must know enough to make a meaningful
risk analysis fo the decision. Very few users I suspect are in that position.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-02-2008, 09:13 PM
Alan Cox
 
Default Request to re-add option to disable SELinux

On Wed, Jul 02, 2008 at 04:37:48PM -0400, Jon Masters wrote:
> I wasted about 6 hours on Sunday evening[0] figuring out why an SELinux
> policy update in F9 had randomly stopped VPNC from working in a policy
> update - that came following days of denials trying to do even simple
> stuff. I can't possibly see how thrusting this default upon masses of
> otherwise unsuspecting users is a good idea. I'm not saying SELinux
> isn't a fantastic idea in certain cases, just not on "the desktop".

The desktop is where it is most needed.

But here is a silly question - why are you using vpnc if you turn SELinux off,
telnet would be faster too ?

Alan

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-02-2008, 09:14 PM
Jon Masters
 
Default Request to re-add option to disable SELinux

On Wed, 2008-07-02 at 16:58 -0400, Colin Walters wrote:


> I don't think we can go too far in cutting out the crap from the
> install process for desktops.

Like I said, I like the sentiment

> If our defaults are broken, we should acknowledge that as a bug
> instead of foisting the choice onto our users.

Ok, so...

> Yes, I think what you should be arguing is that it should be
> permissive or disabled by default.

Ok then let me just say it. I think the default should be permissive or
disabled by default. I was hoping to not have to say that - but I think
it's a lot safer on the mass userbase of Fedora than thrusting a fully
enforcing SELinux policy set upon them. If I'm having to hack on the
policy files on my laptop, there's no hope for a desktop user.

> I'm not sure I would agree with that argument personally given that I
> see little hope for any other extended security system (e.g. AppArmor
> is architecturally broken).

Oh, see this is why I didn't want to just say "let's turn it off by
default", because people read it as an attack on SELinux itself. But it
doesn't have to be like that. SELinux is well designed (App Armor is
basically crackrock in my personal opinion) but it's extremely
complicated in terms of the policy that exists. It's also not for
everyone, in my opinion. I think that SELinux makes great sense on a
server running a timesharing environment, far less on a desktop.

> There are plenty of other possible choices besides just enabling by
> default or disabling:
>
> o Default rawhide installs to permissive

And yet the issues I've had have all been on F9, stock.

> o Create a system that automatically sends denials back to Fedora and
> treat them like crashes

There's still a lead time of days, or weeks. Dan is *very* good (I'm
being careful here to explicitly say I'm not attacking the folks behind
the policy - he updated the policy within a day of e.g. the VPNC issue)
but the whole thing is still very reactionary to problem reports. If a
user tries to do some of the things I tried, and they fail, they'll just
give up on trying, and think that it's all a waste of time.

> o Tune down the default policy to move more things back into
> unconfined_t, and focus more strongly on vulnerable network servers
> like Samba, Apache etc.

This absolutely the most essential thing to be doing. I've been arguing
this for ever and ever. Personally, I think SELinux is a great tool on
servers to protect network facing stuff...but there needs to be a middle
ground on Desktops where people can just get stuff done. I haven't
pushed this on fedora-devel - I didn't expect a warm response

> o Actually have a regression test suite for Fedora and run updates
> through it

Well, while we're at it, we really need to encourage more people to use
bodhi and start voting (and thereby assigning karma), and knowing about
updates (which should only ever contain essential fixes). But that's
another whole bucket of worms for a different thread.

Jon.

>

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-02-2008, 09:16 PM
Alan Cox
 
Default Request to re-add option to disable SELinux

On Wed, Jul 02, 2008 at 04:46:35PM -0400, Jon Masters wrote:
> If it were really black and white like that, then I'd have to argue for
> SELinux to be disabled by default on new Fedora installs and have users
> go into the system config dialog to turn it back on. After all, if
> you're going to use the following argument:

"This car has brakes, enable them ?"
"Would you like the seatbelts to work ?"
"Shall I enable the airbag ?"

> Then consider, those who know what SELinux is are more likely to know
> about that dialog, and therefore more likely to turn it on. If you don't
> like that, then I suggest giving thought to re-instating the option

One of the Gnome talks summed this up nicely long ago - how do most users
see dialogue boxes like that - the answer is as random noise you hit the yes
button too.

SELinux should be disablable is the wrong discussion. The discussion you should
be having is "I've filed a few bugs where SELinux didn't magically do the right
thing, how do we fix them and can we make these less likely to occur in future"

If it was a car this discussion ie - "I had a brake problem so I disabled them"
would not be considered sane

Alan

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-02-2008, 09:16 PM
Jon Masters
 
Default Request to re-add option to disable SELinux

On Wed, 2008-07-02 at 17:13 -0400, Alan Cox wrote:
> On Wed, Jul 02, 2008 at 04:37:48PM -0400, Jon Masters wrote:
> > I wasted about 6 hours on Sunday evening[0] figuring out why an SELinux
> > policy update in F9 had randomly stopped VPNC from working in a policy
> > update - that came following days of denials trying to do even simple
> > stuff. I can't possibly see how thrusting this default upon masses of
> > otherwise unsuspecting users is a good idea. I'm not saying SELinux
> > isn't a fantastic idea in certain cases, just not on "the desktop".
>
> The desktop is where it is most needed.

Yes, in a perfect world in which policy and reality were so well aligned
that everything just worked, all of the time.

> But here is a silly question - why are you using vpnc if you turn SELinux off,
> telnet would be faster too ?

I didn't turn SELinux off. I'm forcing myself to use it in enforcing
mode, and I will continue to do so. But I think it's absolutely nuts to
expect the average Fedora desktop user to do so

Jon.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-02-2008, 09:20 PM
Jon Masters
 
Default Request to re-add option to disable SELinux

On Wed, 2008-07-02 at 17:16 -0400, Alan Cox wrote:
> On Wed, Jul 02, 2008 at 04:46:35PM -0400, Jon Masters wrote:
> > If it were really black and white like that, then I'd have to argue for
> > SELinux to be disabled by default on new Fedora installs and have users
> > go into the system config dialog to turn it back on. After all, if
> > you're going to use the following argument:
>
> "This car has brakes, enable them ?"

Well, you can turn the ABS on and off in some cases.

> "Would you like the seatbelts to work ?"
> "Shall I enable the airbag ?"

You can turn the child restraint passenger system on/off on most models
of car to deal with the injury sustained from airbag deployment.

"Would you like to use regular gas or premium?"

> SELinux should be disablable is the wrong discussion. The discussion you should
> be having is "I've filed a few bugs where SELinux didn't magically do the right
> thing, how do we fix them and can we make these less likely to occur in future"

I think the only way to "fix" it for the foreseeable future is to
simplify policy, so that only a very limited set of services are
confined. Then, when the graphical tools and user experience have
eventually caught up, it'll be trivial to switch policy again.

> If it was a car this discussion ie - "I had a brake problem so I disabled them"
> would not be considered sane

No, but there are many other more suitable analogies

Jon.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-02-2008, 09:36 PM
Bruno Wolff III
 
Default Request to re-add option to disable SELinux

On Wed, Jul 02, 2008 at 17:16:10 -0400,
Alan Cox <alan@redhat.com> wrote:
> "Shall I enable the airbag ?"

That one I'd actually like.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-02-2008, 09:48 PM
Simo Sorce
 
Default Request to re-add option to disable SELinux

On Wed, 2008-07-02 at 17:16 -0400, Jon Masters wrote:
> On Wed, 2008-07-02 at 17:13 -0400, Alan Cox wrote:
> > On Wed, Jul 02, 2008 at 04:37:48PM -0400, Jon Masters wrote:
> > > I wasted about 6 hours on Sunday evening[0] figuring out why an SELinux
> > > policy update in F9 had randomly stopped VPNC from working in a policy
> > > update - that came following days of denials trying to do even simple
> > > stuff. I can't possibly see how thrusting this default upon masses of
> > > otherwise unsuspecting users is a good idea. I'm not saying SELinux
> > > isn't a fantastic idea in certain cases, just not on "the desktop".
> >
> > The desktop is where it is most needed.
>
> Yes, in a perfect world in which policy and reality were so well aligned
> that everything just worked, all of the time.
>
> > But here is a silly question - why are you using vpnc if you turn SELinux off,
> > telnet would be faster too ?
>
> I didn't turn SELinux off. I'm forcing myself to use it in enforcing
> mode, and I will continue to do so. But I think it's absolutely nuts to
> expect the average Fedora desktop user to do so

1) you are not the average user, your experience is biased and your
usage patterns are not standard

2) I use SELinux in enforcing mode since F8, I had almost no problems, I
do development and all. I know what SELinux is and when to change to
permissive.

Moreover, given I am doing development and I am fiddling with
non-standard stuff I expect to have randomly problems with SELinux
(which is all about blocking non-standard behavior), so I just took my 2
hours self-teaching course on SELinux and know how to diagnose and
change labels when needed. I even ventured into changing some policy for
the packages I work on, although Dan Walsh is super in helping out with
that stuff and learning how to write policies is not strictly needed.

Take your time, learn what SELinux is and help back to make it better my
providing changes relative to packages you own or you use most. This
will be abetter use of your time.

I wonder if windows developers had the same attitude toward NTFS ACLs
when Microsoft started transitioning them from FAT ... I think us Linux
devs can handle SELinux, conceptually and practically.

Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-02-2008, 09:57 PM
Jon Masters
 
Default Request to re-add option to disable SELinux

On Wed, 2008-07-02 at 17:48 -0400, Simo Sorce wrote:

> 1) you are not the average user, your experience is biased and your
> usage patterns are not standard

I agree I'm not a "typical user", however some of the things I've had
problems with are being used by typical users - I'm deliberately trying
to avoid examples of copying configuration files and the like

> Take your time, learn what SELinux is and help back to make it better my
> providing changes relative to packages you own or you use most. This
> will be abetter use of your time.

I'm all for helping to find and fix policy issues - why do you think I
left it enabled I've followed SELinux on and off for about a decade,
though this is the first time I've tried enforcing on a "desktop" box.
And I feel that my previous reasoning for turning it off on my desktops
and laptops is once again justified...unfortunately.

> I wonder if windows developers had the same attitude toward NTFS ACLs
> when Microsoft started transitioning them from FAT ... I think us Linux
> devs can handle SELinux, conceptually and practically.

That's a lousy example. I use Linux ACLs and have done since long before
they were upstream and in stock vendor kernels - ACLs are great, and
we're not shipping a complex default set of ACLs anyway

Let's compare apples and apples

Jon.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 05:47 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org