2008/4/1, Andrew Farris <firstname.lastname@example.org>:
> Mark wrote:
> > 2008/4/1, Andrew Farris <email@example.com>:
> >> Mark wrote:
> >> > Hey,
> >> >
> >> > I just installed the Fedora 9 Beta release and am doing a full system
> >> > update as we speak.
> >> > While downloading the updates nothing is wrong.. it just downloads and
> >> > that's it. But when installing the updates i get a ton of selinux
> >> > notices!! and this is just a default Fedora 9 beta followed by a yum
> >> > -y update.
> >> A few suggestions... first, this is beta software, so naturally the fresh beta
> >> install is going to have some issues. Why wouldn't you expect that it is
> >> possible selinux wouldn't play quietly in its corner right after you install...
> >> yet you probably wouldn't think twice about a few little issues with gdm or
> >> nautilus?
> > I wouldn't find it strange to see bugs in nautilus/gdm/any other than
> > selinux strange. Selinux is just: Annoying, frustrating, irritating
> > and asking to be disabled. My selinux history tells me that this isn't
> > a bug.. it's just selinux.
> An assumption that is dangerous. I understand prior bad selinux issues can
> leave you feeling that way, but consider how similar it is to just 'click ok for
> everything' in Windows? Yes.. prior experience would tell you its something you
> have to do for it to work, but its also exploited by malicious code. Assuming
> every selinux audit is a bug or just selinux being annoying is a terrible mindset.
Selinux keeps proving me that it deserves to shut down. i can't help
it that it blames me for playing flash animation, using a gif
animation in a local web folder or oven just installing updates from
> >> Now suggestions.
> >> - To keep selinux running nicely on your desktop you need to relabel or
> >> restorecon your files frequently, especially after any updates are done. If you
> >> update selinux-policy or your kernel, immediately do 'touch /.autorelabel' and
> >> then reboot... when you don't you're tempting selinux to annoy you with denials
> >> (expected behavior).
> >> - Use tmpfs for /tmp. This one suggestion from Dan Walsh has been very helpful
> >> for my systems. Just add the following line to your /etc/fstab:
> >> tmpfs /tmp tmpfs defaults 0 0
> >> then do:
> >> rm -Rf /tmp/*; reboot
> >> Then remember that files in tmp are supposed to be temporary and don't save
> >> large downloads, misc files, etc, in tmp... they will disappear at reboot, and
> >> tmp is only 512Mb with tmpfs defaults.
> > First: it requires a reboot which should not be the case for ANY linux
> > based program unless it has a good reason. Windows == reboots afer
> > every update. Don't follow that path on linux!
> Actually, any kernel update requires a reboot unless you're pulling monkey
> tricks (yes, it can 'kinda' be done without rebooting, but not with Fedora
> kernel updates). Any time you update selinux policy you can get away without
> rebooting, just restoring contexts instead, but its much simpler... and less
> error prone, to do it while nothing is being used (i.e. before you really get
> the system booted). Its not necessary, its 'best practice' for effectively
> testing and using selinux in its development state. So don't reboot if you
> don't feel like it; I will.
Oke that's a extreme example. If the kernel gets updated than it
deserves a reboot
but for all other things (software related) than
no.. it should not require a reboot
> > Second: it requires me to INVESTIGATE the issues, find solutions and
> > fix it. Sorry to tell but that's not my job nor am i willing to do it
> > and it requires a lot of time to fix issues that should not even
> > exist.
> So, you'd rather just have a less secure system you can ignore? Ok.
Well if it's with the annoying things that i've experienced with
selinux today and in the recent years than yes. Surely selinux can
spit out real warning that could potential be a real thread.. just
never seen one before and i've seen quite a few warnings.
> > Third: The tmpfs thing might be handy but i would just like to run the
> > OS in it's default stuff. If i need to edit things like that then
> > there is something wrong with Fedora.
> I agree; Fedora should ship with tmpfs configured, but its not my call. I'm
> just trying to help you.
And thanx for the help ^_^
> >> - Run selinux-policy-targeted (the default, so don't change it) and then learn a
> >> little bit about what denials mean, why they happen, and report those that you
> >> cannot figure out. Use setroubleshoot and sealert. I've got lots of denials in
> >> my audit database right now (actually 30+ of them are new today, for various
> >> stuff I've been testing)... but not one of them has stopped me from 'doing real
> >> work' on the system.
> > Again require me to do some work to get things fixed which should not
> > even be broken in the first place.
Not beta! This is selinux related and is like this for years so don't
tell me it's because of "beta". Otherwise try out Fedora 8 final fully
updated to see for yourself. It's (again) just selinux.
> > I simply don't get why such a idiotic system has to be in fedora...
> > Fedora is about user friendly distributions right? this one isn't user
> > friendly at all. Till now i've always disabled selinux as soon as the
> > first boot was completed.
> Well, its clear you don't understand it, which is ok, but debating its purpose
> or implementation is not a reasonable use of time. You may continue to disable
> SELinux... I'll continue to do everything I can to help the developers improve
> it because I value what it provides.
I'm interested in trying it out and having a secured linux machine but
not this way. Once it's illnesses are fixed (if that ever gets done)
and selinux only spits out warnings like every other firewall is doing
than i will probably use it by default as well. Just not now because
of the reasons i told a few times now.
> > Also a note about the selinux stats in the smolt database. When you
> > install fedora selinux is (sadly) enabled by default. And on the first
> > boot you get the smolt system specs sending stuff.. at that point
> > (atleast in F9 beta) there was NO option to turn off selinux so the
> > stats will therefore always indicate a higher selinux usage than is
> > actually the case. i turned it off right after those smolt things
> > where send but i'm in the smolt db now with selinux enabled!
> Every update smolt does will fix that, showing it turned off on the machine.
> Don't be overly dramatic, noone really cares whether the smolt stats are
> slightly padded or not: its nothing more than 'close to reasonably accurate',
> and it won't determine whether SELinux continues to be developed or whether
> Fedora backs it.
Not a big issue. just something worth noting incase anyone was gonna
point me to the numbers who are "using" selinux.
> Andrew Farris <firstname.lastname@example.org> www.lordmorgul.net
> gpg 0x8300BF29 fingerprint 071D FFE0 4CBC 13FC 7DEB 5BD5 5F89 8E1B 8300 BF29
> revoked key 0xC99B1DF3 no longer used
> No one now has, and no one will ever again get, the big picture. - Daniel Geer
> ---- ----
> fedora-devel-list mailing list
fedora-devel-list mailing list