FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 07-07-2008, 05:32 AM
jeff
 
Default Request to re-add option to disable SELinux - compromise

But there are numerous other justifications I could give, including my
personal belief that it's absolutely nuts to thrust SE Linux upon
unsuspecting Desktop users (who don't know what it is anyway) without
giving them the choice to turn it off.


If they don't know what it is, how are they supposed to decide to shut
it off or not?


Perhaps by way of a compromise it could be noted in the installation docs if
you want to disable SELinux you should add "linux selinux=0" to the boot: line
of the install CD. This would make the option available the same way that
xfs/reiserfs/jfs are available. The user isn't confronted with it, but Linus[1]
can then easily disable it at install time.


For this to work, anaconda would have to then pass the selinux=0 to grub.

Benefits:
* Users aren't confronted with dialog box they don't understand
* Power users that "know" they don't need/want selinux still have it available
* Only needs small change to anaconda
* All win

Drawbacks:
* Nonewhatsoever

-Jeff

[1] https://bugzilla.redhat.com/show_bug.cgi?id=439858

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-07-2008, 07:58 AM
Rahul Sundaram
 
Default Request to re-add option to disable SELinux - compromise

jeff wrote:

But there are numerous other justifications I could give, including my
personal belief that it's absolutely nuts to thrust SE Linux upon
unsuspecting Desktop users (who don't know what it is anyway) without
giving them the choice to turn it off.


If they don't know what it is, how are they supposed to decide to shut
it off or not?


Perhaps by way of a compromise it could be noted in the installation
docs if you want to disable SELinux you should add "linux selinux=0" to
the boot: line of the install CD. This would make the option available
the same way that xfs/reiserfs/jfs are available. The user isn't
confronted with it, but Linus[1] can then easily disable it at install
time.


The policy has already been fixed and swfdec isn't installed by default
so there is no need to do that. It is already documented in the SELinux
FAQ now but installation guide can have a reference too. File a RFE.


Rahul

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-07-2008, 08:32 AM
"max bianco"
 
Default Request to re-add option to disable SELinux - compromise

On Mon, Jul 7, 2008 at 3:58 AM, Rahul Sundaram
<sundaram@fedoraproject.org> wrote:
> jeff wrote:
>>>>
>>>> But there are numerous other justifications I could give, including my
>>>> personal belief that it's absolutely nuts to thrust SE Linux upon
>>>> unsuspecting Desktop users (who don't know what it is anyway) without
>>>> giving them the choice to turn it off.
>>>
>>> If they don't know what it is, how are they supposed to decide to shut
>>> it off or not?
>>
>> Perhaps by way of a compromise it could be noted in the installation docs
>> if you want to disable SELinux you should add "linux selinux=0" to the boot:
>> line of the install CD. This would make the option available the same way
>> that xfs/reiserfs/jfs are available. The user isn't confronted with it, but
>> Linus[1] can then easily disable it at install time.
>
> The policy has already been fixed and swfdec isn't installed by default so
> there is no need to do that. It is already documented in the SELinux FAQ now
> but installation guide can have a reference too. File a RFE.
>
> Rahul
>

Can an option to completely disable the ability to disable SELinux be
added? I'd rather there was no way to turn it off at all.

Max

--
If opinions were really like assholes we'd each have just one

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-07-2008, 09:27 AM
Rahul Sundaram
 
Default Request to re-add option to disable SELinux - compromise

max bianco wrote:


Can an option to completely disable the ability to disable SELinux be
added? I'd rather there was no way to turn it off at all.


Sure, there is. Refer

https://fedoraproject.org/wiki/SELinux/FAQ

Rahul


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-07-2008, 10:16 AM
Denis Leroy
 
Default Request to re-add option to disable SELinux - compromise

max bianco wrote:

Can an option to completely disable the ability to disable SELinux be
added? I'd rather there was no way to turn it off at all.


that doesn't make *any* sense

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-07-2008, 10:33 AM
Ingvar Hagelund
 
Default Request to re-add option to disable SELinux - compromise

This would need a bit more hacking to Anaconda, but what about an
"Expert security settings" dialog with a note that most users should
leave these untouched. In this dialog, experienced sysadmins may
switch off selinux, tweak or disable the firewall, and praps other
stuff too.


Ingvar

--

Buddha wears an iPod



Den 7. juli. 2008 kl. 09.58 skrev Rahul Sundaram <sundaram@fedoraproject.org
>:



jeff wrote:
But there are numerous other justifications I could give,
including my

personal belief that it's absolutely nuts to thrust SE Linux upon
unsuspecting Desktop users (who don't know what it is anyway)
without

giving them the choice to turn it off.


If they don't know what it is, how are they supposed to decide to
shut

it off or not?
Perhaps by way of a compromise it could be noted in the
installation docs if you want to disable SELinux you should add
"linux selinux=0" to the boot: line of the install CD. This would
make the option available the same way that xfs/reiserfs/jfs are
available. The user isn't confronted with it, but Linus[1] can then
easily disable it at install time.


The policy has already been fixed and swfdec isn't installed by
default so there is no need to do that. It is already documented in
the SELinux FAQ now but installation guide can have a reference too.
File a RFE.


Rahul

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-07-2008, 11:38 AM
Bruno Wolff III
 
Default Request to re-add option to disable SELinux - compromise

On Mon, Jul 07, 2008 at 04:32:29 -0400,
max bianco <maximilianbianco@gmail.com> wrote:
>
> Can an option to completely disable the ability to disable SELinux be
> added? I'd rather there was no way to turn it off at all.

You can already do this post install, so that the only way to disable involves
rebooting. And you can make it so that someone has to physically touch the
box and do something extreme (pull a disk, the cmos battery or something
similar) to be able to disable it.

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-07-2008, 01:54 PM
max
 
Default Request to re-add option to disable SELinux - compromise

Denis Leroy wrote:

max bianco wrote:

Can an option to completely disable the ability to disable SELinux be
added? I'd rather there was no way to turn it off at all.


that doesn't make *any* sense

It make as much sense as the rest of this thread and what it proposes.
Yes I realize this is extreme but no more extreme in my view than
disabled by default or offering the option at install time. There is
already a way to disable it if you know enough and if you don't then you
need it on anyway. For crying out loud my girlfriend uses Fedora, her
use is much closer to average than any of the rest of us and SELinux has
*never* caused her a problem. My mother, as computer illiterate as they
come( no disrespect intended Mom) does not have any problems. This
conversation is pointless, I see a hundred posts about people
complaining about people discussing things like the GPL on a developer's
list, a subject quite relevant in my view, but when the idea of
disabling practically the only security present on the system is brought
up , it actually gets entertained? Disable it?!?What?!? It seems to me
that entirely too many people have their priorities seriously out of
whack. In today's world, security better be the first consideration. The
internet is a war zone. Any scum bag with a linux box can make a snazzy
web page and lure in the unsuspecting. I don't think anyone is claiming
SELinux is the be-all end-all of security tools but considering its one
of the very few *real* security tools available I don't see how this
thread has managed to get this long. I've said my bit.


Max

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-07-2008, 02:39 PM
Denis Leroy
 
Default Request to re-add option to disable SELinux - compromise

max wrote:

Denis Leroy wrote:

max bianco wrote:

Can an option to completely disable the ability to disable SELinux be
added? I'd rather there was no way to turn it off at all.


that doesn't make *any* sense

It make as much sense as the rest of this thread and what it proposes.
Yes I realize this is extreme but no more extreme in my view than
disabled by default or offering the option at install time. There is
already a way to disable it if you know enough and if you don't then you
need it on anyway. For crying out loud my girlfriend uses Fedora, her
use is much closer to average than any of the rest of us and SELinux has
*never* caused her a problem. My mother, as computer illiterate as they
come( no disrespect intended Mom) does not have any problems. This
conversation is pointless, I see a hundred posts about people
complaining about people discussing things like the GPL on a developer's
list, a subject quite relevant in my view, but when the idea of
disabling practically the only security present on the system is brought
up , it actually gets entertained? Disable it?!?What?!? It seems to me
that entirely too many people have their priorities seriously out of
whack.


you are COMPLETELY missing the point. In some context, security is
irrelevant. Like that Fedora system we use in our lab at work for
bringup testing: it doesn't even have a network card.


some people thing that criticizing SELinux installation policy (not
SELinux itself mind you, which is a useful thing) == saying "security is
not important". This is ridiculous.


The only scenario I can think of where SELinux disabled installation
would be forcefully prohibited would be, say, a custom Fedora spin
targeted at employees or students where you don't want some smart guy to
disable it (because that would mean your job)...


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 07-07-2008, 03:28 PM
max
 
Default Request to re-add option to disable SELinux - compromise

Denis Leroy wrote:

max wrote:

Denis Leroy wrote:

max bianco wrote:

Can an option to completely disable the ability to disable SELinux be
added? I'd rather there was no way to turn it off at all.


that doesn't make *any* sense

It make as much sense as the rest of this thread and what it proposes.
Yes I realize this is extreme but no more extreme in my view than
disabled by default or offering the option at install time. There is
already a way to disable it if you know enough and if you don't then
you need it on anyway. For crying out loud my girlfriend uses Fedora,
her use is much closer to average than any of the rest of us and
SELinux has *never* caused her a problem. My mother, as computer
illiterate as they come( no disrespect intended Mom) does not have any
problems. This conversation is pointless, I see a hundred posts about
people complaining about people discussing things like the GPL on a
developer's list, a subject quite relevant in my view, but when the
idea of disabling practically the only security present on the system
is brought up , it actually gets entertained? Disable it?!?What?!? It
seems to me that entirely too many people have their priorities
seriously out of whack.


you are COMPLETELY missing the point. In some context, security is
irrelevant. Like that Fedora system we use in our lab at work for
bringup testing: it doesn't even have a network card.




The last time I looked a computer without internet access is completely
useless to the average user. What do you think the majority of people
are doing with their computers? playing solitaire? No network card is
not the norm. Anyway what's to stop some disgruntled employee from
quietly loading a program onto your test box that will have you
scratching your head for days because you can't imagine what might be
wrong. I think you have missed my point, probably because I failed to
express it adequately so I will drop it. This insanity isn't worth
discussing anyway.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 08:33 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org