FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 07-02-2008, 08:28 PM
"Colin Walters"
 
Default Request to re-add option to disable SELinux

2008/7/2 Jesse Keating <jkeating@redhat.com>:

On Wed, 2008-07-02 at 16:10 -0400, Jon Masters wrote:

>

> But there are numerous other justifications I could give, including my

> personal belief that it's absolutely nuts to thrust SE Linux upon

> unsuspecting Desktop users (who don't know what it is anyway) without

> giving them the choice to turn it off.



If they don't know what it is, how are they supposed to decide to shut

it off or not?
Yeah, we're trying to make installing Fedora not be a Choose Your Own Linux Adventure game.

Either the SELinux policy works well enough that it is enabled by default and supported, or it's not.


Besides, the option already exists - you can system-config-selinux after installing.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-02-2008, 08:29 PM
Matthias Clasen
 
Default Request to re-add option to disable SELinux

On Wed, 2008-07-02 at 16:10 -0400, Jon Masters wrote:

>
> *). Tools like nautilus do not support labeling of files via the
> right-click properties dialog (gnome VFS, etc.) so there is no easy way
> for an end user who even understands part of this to fix context. This
> is the number one reason why SELinux should not be enabled by default,
> except on systems where there is an admin who can use chcon.

I don't disagree with the general sentiment that selinux is not a very
good fit for desktop users as it is today. But nautilus _does_ support
labeling of files via the right-click properties dialog.



--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-02-2008, 08:32 PM
David Malcolm
 
Default Request to re-add option to disable SELinux

On Wed, 2008-07-02 at 16:10 -0400, Jon Masters wrote:
[snip]
>
> *). Tools like nautilus do not support labeling of files via the
> right-click properties dialog (gnome VFS, etc.) so there is no easy way
> for an end user who even understands part of this to fix context. This
> is the number one reason why SELinux should not be enabled by default,
> except on systems where there is an admin who can use chcon.

Sounds like a regression; this used to work fine (on this RHEL5 ~ FC6
box I can do this from the Permissions tab of the nautilus file
properties dialog, and watch the SELinux column of the nautilus List
View change).

>
> But there are numerous other justifications I could give, including my
> personal belief that it's absolutely nuts to thrust SE Linux upon
> unsuspecting Desktop users (who don't know what it is anyway) without
> giving them the choice to turn it off.

What is this "kernel" thing? Why do I need it?


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-02-2008, 08:33 PM
seth vidal
 
Default Request to re-add option to disable SELinux

On Wed, 2008-07-02 at 16:29 -0400, Matthias Clasen wrote:
> On Wed, 2008-07-02 at 16:10 -0400, Jon Masters wrote:
>
> >
> > *). Tools like nautilus do not support labeling of files via the
> > right-click properties dialog (gnome VFS, etc.) so there is no easy way
> > for an end user who even understands part of this to fix context. This
> > is the number one reason why SELinux should not be enabled by default,
> > except on systems where there is an admin who can use chcon.
>
> I don't disagree with the general sentiment that selinux is not a very
> good fit for desktop users as it is today. But nautilus _does_ support
> labeling of files via the right-click properties dialog.
>

Where? I see it showing me what they are but I don't see how to change
them.

is it an option I have to enable?

-sv


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-02-2008, 08:34 PM
"Jeff Spaleta"
 
Default Request to re-add option to disable SELinux

On Wed, Jul 2, 2008 at 12:29 PM, Matthias Clasen <mclasen@redhat.com> wrote:
> I don't disagree with the general sentiment that selinux is not a very
> good fit for desktop users as it is today. But nautilus _does_ support
> labeling of files via the right-click properties dialog.


Are people more clever than me trying to work out a way to indicate if
a file is mislabeled via the file manager graphical interface? Is
that even technically possible? And if it is would would be a good UI
way to show that information without having to open up a properties
dialog window to see it?

-jef"votes for slowly pulsating red glow on the mislabeled file icon"spaleta

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-02-2008, 08:37 PM
Jon Masters
 
Default Request to re-add option to disable SELinux

On Wed, 2008-07-02 at 16:29 -0400, Jon Masters wrote:

> I think what's needed is a nice little paragraph summarizing what
> SELinux is aiming to do, and then the old option of setting permissive
> or disabling - users can then set permissive if they prefer to.

Note that when I say this, I'm one of the users who might well turn it
off (well, set permissive) again on future installs. I've lived with
SELinux enforcing on F9 for under two weeks and have found it highly
inhibitive to performing many regular everyday tasks I'm used to.

I wasted about 6 hours on Sunday evening[0] figuring out why an SELinux
policy update in F9 had randomly stopped VPNC from working in a policy
update - that came following days of denials trying to do even simple
stuff. I can't possibly see how thrusting this default upon masses of
otherwise unsuspecting users is a good idea. I'm not saying SELinux
isn't a fantastic idea in certain cases, just not on "the desktop".

Dan, et al, no offense, but we need the option to come back

Jon.

[0] It had been almost ten years since I last read through all that
documentation. So although I learned a lot about our current policy, and
what has changed over the years in SELinux, so that I could understand
the current targeted policy source, this isn't something regular Fedora
users should have to do in order to be using their computers


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-02-2008, 08:39 PM
Jon Masters
 
Default Request to re-add option to disable SELinux

On Wed, 2008-07-02 at 16:29 -0400, Matthias Clasen wrote:
> On Wed, 2008-07-02 at 16:10 -0400, Jon Masters wrote:
>
> >
> > *). Tools like nautilus do not support labeling of files via the
> > right-click properties dialog (gnome VFS, etc.) so there is no easy way
> > for an end user who even understands part of this to fix context. This
> > is the number one reason why SELinux should not be enabled by default,
> > except on systems where there is an admin who can use chcon.
>
> I don't disagree with the general sentiment that selinux is not a very
> good fit for desktop users as it is today. But nautilus _does_ support
> labeling of files via the right-click properties dialog.

It displays the current context. I'm guessing if you're root at the time
then it probably allows you to change it, but that's not useful until
there's e.g. a PolicyKit hook that allows regular users to relabel.

Jon.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-02-2008, 08:46 PM
Jon Masters
 
Default Request to re-add option to disable SELinux

On Wed, 2008-07-02 at 16:28 -0400, Colin Walters wrote:

> Yeah, we're trying to make installing Fedora not be a Choose Your Own
> Linux Adventure game.

I agree (partially) with that sentiment. Though it can obviously go way
too far with the aim of making life "easier" during a 10 minute install.

> Either the SELinux policy works well enough that it is enabled by
> default and supported, or it's not.

If it were really black and white like that, then I'd have to argue for
SELinux to be disabled by default on new Fedora installs and have users
go into the system config dialog to turn it back on. After all, if
you're going to use the following argument:

> Besides, the option already exists - you can system-config-selinux
> after installing.

Then consider, those who know what SELinux is are more likely to know
about that dialog, and therefore more likely to turn it on. If you don't
like that, then I suggest giving thought to re-instating the option

Jon.



--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-02-2008, 08:56 PM
jcvlz
 
Default Request to re-add option to disable SELinux

It sounds like this issue has more to do with how easily an "average"
end user can admin/modify selinux and it's policies through a GUI
interface. So what about extending the functionality of one of the
gui apps?

i.e.
-If setroubleshoot is not part of the base package, include it and
have it turned on by default
-Add audit2allow/audit2why functionality to setroubleshoot
-Simplify the details section of setroubleshoot to be more
meaningful to end-users

FWIW - I'm for keeping selinux enforcing by default, but could
definitely see where end-users could be running into issues.


Juan Velez

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-02-2008, 08:58 PM
Doug Ledford
 
Default Request to re-add option to disable SELinux

On Wed, 2008-07-02 at 16:39 -0400, Jon Masters wrote:
> On Wed, 2008-07-02 at 16:29 -0400, Matthias Clasen wrote:
> > On Wed, 2008-07-02 at 16:10 -0400, Jon Masters wrote:
> >
> > >
> > > *). Tools like nautilus do not support labeling of files via the
> > > right-click properties dialog (gnome VFS, etc.) so there is no easy way
> > > for an end user who even understands part of this to fix context. This
> > > is the number one reason why SELinux should not be enabled by default,
> > > except on systems where there is an admin who can use chcon.
> >
> > I don't disagree with the general sentiment that selinux is not a very
> > good fit for desktop users as it is today. But nautilus _does_ support
> > labeling of files via the right-click properties dialog.
>
> It displays the current context. I'm guessing if you're root at the time
> then it probably allows you to change it, but that's not useful until
> there's e.g. a PolicyKit hook that allows regular users to relabel.

Well, that's just incredibly helpful when combined with the whole "you
should never, under any circumstances, run X windows as root" thread of
a few days ago ;-)

--
Doug Ledford <dledford@redhat.com>
GPG KeyID: CFBFF194
http://people.redhat.com/dledford

Infiniband specific RPMs available at
http://people.redhat.com/dledford/Infiniband

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 03:57 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org