FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 01-16-2008, 07:57 PM
David Nielsen
 
Default SELinux removed from desktop cd spin?

ons, 16 01 2008 kl. 20:57 +0100, skrev Valent Turkovic:
> Hi,
> I believe that SELinux is a great linux server security hardening tool
> but that has little use in desktop linux usage and it confuses
> ordinary desktop users.
> If it hasn't been discussed before I would like to propose that on
> desktop cd spin SELinux is not installed by default, of course after
> discussion and approval from you (fedora devels).

-infinity

You opt out of security not into it, if SELinux presents a problem in an
otherwise legitimate use case then it's a bug and it should be fixed.
Dan Walsh is normally a very responsive maintainer and bugs get fixed
nearly instantly.

Prevention is better than waiting for a problem to erupt and then
scramble to provide a 0 day patch to every critical bug. In much the
same way as we vaccinate people to avoid illness in the future instead
of just relying on luck and treatment.

All that being said, SELinux is disabled on this box, I run constantly
on an up to date Development and every day uptill a few weeks ago it has
run basically without a problem with SELinux enabled in enforcing mode.
I totally put that on me though because I haven't gotten around to
tracking the issues and filing them.

- David

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-16-2008, 08:00 PM
Alan Cox
 
Default SELinux removed from desktop cd spin?

On Wed, Jan 16, 2008 at 08:57:56PM +0100, Valent Turkovic wrote:
> I believe that SELinux is a great linux server security hardening tool
> but that has little use in desktop linux usage and it confuses
> ordinary desktop users.

Desktop users are the people it is most important for. If it is still confusing
people we need to fix the confusions. Perhaps you can explain more ?


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-16-2008, 08:11 PM
"Valent Turkovic"
 
Default SELinux removed from desktop cd spin?

On Jan 16, 2008 10:00 PM, Alan Cox <alan@redhat.com> wrote:
> On Wed, Jan 16, 2008 at 08:57:56PM +0100, Valent Turkovic wrote:
> > I believe that SELinux is a great linux server security hardening tool
> > but that has little use in desktop linux usage and it confuses
> > ordinary desktop users.
>
> Desktop users are the people it is most important for. If it is still confusing
> people we need to fix the confusions. Perhaps you can explain more ?

AVC denials that SELinux Troubleshoot Tool pops up really scare me
There is half of screen of text and I can't figure out anything
important form that. I see no information of value to me as a desktop
user. I don't know is my laptop about to blow up or is it some minor
error I can safely ignore.

I have about 20 AVC denial messages in SE Tool right now... the all
make zero sense to me. I just got one from NetworkManager after my
laptop returned from sleep... and I see a bunch of them regarding
VirtualBox temporary files... etc... etc...

Valent.

--
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-16-2008, 08:13 PM
Dave Airlie
 
Default SELinux removed from desktop cd spin?

On Wed, 2008-01-16 at 16:00 -0500, Alan Cox wrote:
> On Wed, Jan 16, 2008 at 08:57:56PM +0100, Valent Turkovic wrote:
> > I believe that SELinux is a great linux server security hardening tool
> > but that has little use in desktop linux usage and it confuses
> > ordinary desktop users.
>
> Desktop users are the people it is most important for. If it is still confusing
> people we need to fix the confusions. Perhaps you can explain more ?
>
>

We made one big mistake with SELinux, selinuxalert or whatever it is
called... we haven't learned from the MAC vs Windows ads... we now have
an app that puts us squarely into the Windows lack of usefulness camp.

"hey user this app is doing something bad. do you want to let it do
it?"_t.

Dave.


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-16-2008, 08:16 PM
"Arthur Pemberton"
 
Default SELinux removed from desktop cd spin?

On Jan 16, 2008 1:57 PM, Valent Turkovic <valent.turkovic@gmail.com> wrote:
> Hi,
> I believe that SELinux is a great linux server security hardening tool
> but that has little use in desktop linux usage and it confuses
> ordinary desktop users.
> If it hasn't been discussed before I would like to propose that on
> desktop cd spin SELinux is not installed by default, of course after
> discussion and approval from you (fedora devels).

About how many people would you all estimate even use Fedora as desktop?

--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-16-2008, 08:26 PM
"Valent Turkovic"
 
Default SELinux removed from desktop cd spin?

On Jan 16, 2008 10:13 PM, Dave Airlie <airlied@redhat.com> wrote:
>
> On Wed, 2008-01-16 at 16:00 -0500, Alan Cox wrote:
> > On Wed, Jan 16, 2008 at 08:57:56PM +0100, Valent Turkovic wrote:
> > > I believe that SELinux is a great linux server security hardening tool
> > > but that has little use in desktop linux usage and it confuses
> > > ordinary desktop users.
> >
> > Desktop users are the people it is most important for. If it is still confusing
> > people we need to fix the confusions. Perhaps you can explain more ?
> >
> >
>
> We made one big mistake with SELinux, selinuxalert or whatever it is
> called... we haven't learned from the MAC vs Windows ads... we now have
> an app that puts us squarely into the Windows lack of usefulness camp.
>
> "hey user this app is doing something bad. do you want to let it do
> it?"_t.

I wish it was that easy when I installed fluendo codes I couldn't play
my multimedia because SELInux blocked it (nobody tested it even that
fedora 8 advertised fluendo codec support as one of its new shiny
features).
selinux troubleshoot tool it still to hard for ordinary desktop users.
I see the real benefit of SELinux troubleshoot tool for admins using
RHEL of fedora on their servers but on desktop I hardly see any point.

I will bet anybody who wants that Fedora live cd users will have more
trouble from using SElinux than benefit. Also that ubuntu, opensuse
and other distros that don't use SElinux won't be in trouble from some
0day exploit.

Valent.

--
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-16-2008, 08:27 PM
Eric Paris
 
Default SELinux removed from desktop cd spin?

On Thu, 2008-01-17 at 07:13 +1000, Dave Airlie wrote:
> On Wed, 2008-01-16 at 16:00 -0500, Alan Cox wrote:
> > On Wed, Jan 16, 2008 at 08:57:56PM +0100, Valent Turkovic wrote:
> > > I believe that SELinux is a great linux server security hardening tool
> > > but that has little use in desktop linux usage and it confuses
> > > ordinary desktop users.
> >
> > Desktop users are the people it is most important for. If it is still confusing
> > people we need to fix the confusions. Perhaps you can explain more ?
> >
> >
>
> We made one big mistake with SELinux, selinuxalert or whatever it is
> called... we haven't learned from the MAC vs Windows ads... we now have
> an app that puts us squarely into the Windows lack of usefulness camp.
>
> "hey user this app is doing something bad. do you want to let it do
> it?"_t.
>
> Dave.

A difference though is that while we do pop up that little window which
exposes the inherent complexities of the underlying operating system we
attempt to explain in human readable format what is going on (sometimes
we fail, just read this thread). I must admit some of it must seem very
cryptic, but that cryptic information is what the selinux developers
need to actually asses and fix the issue. We could hide it on the mian
screen, but then every BZ that got filed would have a first responce of
'please include the useful information hidden behind the 'developer
information' button.

But more importantly we are working towards having that application
never show up unless it is a well known tunable the user may want to
flip or there is something going severely wrong. Installing a new
program selinux has never heard of should not cause selinux problems
(ok, if the app does something terrible with memory maybe.) We only pop
up that dialog for applications we 'think' we already know everything it
needs to do. I wish it popped up less but we get closer and closer to
the goal every day.

Thanks Dan.

-Eric

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-16-2008, 08:28 PM
"Valent Turkovic"
 
Default SELinux removed from desktop cd spin?

On Jan 16, 2008 10:16 PM, Arthur Pemberton <pemboa@gmail.com> wrote:
> On Jan 16, 2008 1:57 PM, Valent Turkovic <valent.turkovic@gmail.com> wrote:
> > Hi,
> > I believe that SELinux is a great linux server security hardening tool
> > but that has little use in desktop linux usage and it confuses
> > ordinary desktop users.
> > If it hasn't been discussed before I would like to propose that on
> > desktop cd spin SELinux is not installed by default, of course after
> > discussion and approval from you (fedora devels).
>
> About how many people would you all estimate even use Fedora as desktop?
>
> --
> Fedora 7 : sipping some of that moonshine
> ( www.pembo13.com )

few hundred thousands? Don't know... look at fedora statistics page
and judge for yourself...

And I bet that more will choose ubuntu as a "friendlier" desktop if
fedora forces people to use SELinux.

Valent.

--
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-16-2008, 08:29 PM
Les Mikesell
 
Default SELinux removed from desktop cd spin?

Arthur Pemberton wrote:


Hi,
I believe that SELinux is a great linux server security hardening tool
but that has little use in desktop linux usage and it confuses
ordinary desktop users.
If it hasn't been discussed before I would like to propose that on
desktop cd spin SELinux is not installed by default, of course after
discussion and approval from you (fedora devels).


About how many people would you all estimate even use Fedora as desktop?


Where else would you use it?

--
Les Mikesell
lesmikesell@gmail.com

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-16-2008, 08:35 PM
"Valent Turkovic"
 
Default SELinux removed from desktop cd spin?

On Jan 16, 2008 10:27 PM, Eric Paris <eparis@redhat.com> wrote:
>
> On Thu, 2008-01-17 at 07:13 +1000, Dave Airlie wrote:
> > On Wed, 2008-01-16 at 16:00 -0500, Alan Cox wrote:
> > > On Wed, Jan 16, 2008 at 08:57:56PM +0100, Valent Turkovic wrote:
> > > > I believe that SELinux is a great linux server security hardening tool
> > > > but that has little use in desktop linux usage and it confuses
> > > > ordinary desktop users.
> > >
> > > Desktop users are the people it is most important for. If it is still confusing
> > > people we need to fix the confusions. Perhaps you can explain more ?
> > >
> > >
> >
> > We made one big mistake with SELinux, selinuxalert or whatever it is
> > called... we haven't learned from the MAC vs Windows ads... we now have
> > an app that puts us squarely into the Windows lack of usefulness camp.
> >
> > "hey user this app is doing something bad. do you want to let it do
> > it?"_t.
> >
> > Dave.
>
> A difference though is that while we do pop up that little window which
> exposes the inherent complexities of the underlying operating system we
> attempt to explain in human readable format what is going on (sometimes
> we fail, just read this thread). I must admit some of it must seem very
> cryptic, but that cryptic information is what the selinux developers
> need to actually asses and fix the issue. We could hide it on the mian
> screen, but then every BZ that got filed would have a first responce of
> 'please include the useful information hidden behind the 'developer
> information' button.

And that is exactly why this feels like testing ground for RHEL and
not an option that actually benefits users because you admit that it
is not ready for "joe user".

> But more importantly we are working towards having that application
> never show up unless it is a well known tunable the user may want to
> flip or there is something going severely wrong. Installing a new
> program selinux has never heard of should not cause selinux problems
> (ok, if the app does something terrible with memory maybe.) We only pop
> up that dialog for applications we 'think' we already know everything it
> needs to do. I wish it popped up less but we get closer and closer to
> the goal every day.

I really love SELinux and it is a great tool, and it helps a lot of
admins who use it, but because it is still too rough for the general
public it should not be forced onto them.

What is your target audience with SELinux?

I'm here only talking form removing it on Gnome Live Fedora cd - focus
of that "spin" are desktop users AFAIK. Leave it on DVD version whose
target audience is much wider.

Valent

--
http://kernelreloaded.blog385.com/
linux, blog, anime, spirituality, windsurf, wireless
registered as user #367004 with the Linux Counter, http://counter.li.org.
ICQ: 2125241, Skype: valent.turkovic

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 10:38 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org