SOT: virtualization

[Technomage]

Craig White wrote:
> On Tue, 2009-12-15 at 18:46 -0700, Technomage wrote:
>   
>> Fedora: forces you to run SELINUX regardless of whether you need it or
>> not
>>     
> ----
> this is simply wrong.
>
> On Fedora 12 (the latest version released a few weeks ago)...
>   
I was running fedora 11 and even with the settings as listed below, it 
was still attempting to run.
also, its settings manager was rather a bit less intuitive than I would 
have liked (not very
blind friendly).

> # head -n 5 /etc/selinux/config
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> #       enforcing - SELinux security policy is enforced.
> #       permissive - SELinux prints warnings instead of enforcing.
> #       disabled - SELinux is fully disabled.
>
> if however you had the slightest bit of understanding of SELinux, you
> would have known that on any system, you can append 'setenforce 0' to
> the kernel boot parameters to disable SELinux at startup.
>
>   
as a desktop user, I am not required to have an understanding of an 
enterprise class security tool.
I personally think that its rather unnecessary to have running (let 
alone installed). For the application
that I had tasked the machine, it was downright intrusive in allowing my 
to operate the machine.

> Even still, you could build your own kernel and not enable SELinux.
>
>   
I had not gotten that far and considering the use to which I was going 
to put the box,
the effort of building a kernal would have not been worth the expended time.
> I am quite sure that 'forcing' a user to run SELinux on Fedora has never
> even been discussed by serious people. You can permanently disable it on
> 'first boot' which is where you configure things like networking, users,
> startup services, firewall and of course, security.
>   
unfortunately, the install routine for FC-11 didn't give me that option 
(and the install gui is not the most
blind/VI friendly)
> As for your assertion that Fedora has 'dependency' issues... I simply do
> not ever have dependency issues with Fedora but if your analysis of
> dependencies is similar to your analysis of them 'forcing' users to run
> SELinux, then I would accept that you have had your share of problems.
>
> Craig
>   
heheh. yeah....my analysis isn't anywhere near a professional one. its 
taken from the POV of an end user
that simply wants a system that "just works" without a lot of hassle and 
deep level configuration. I can do
a lot of this work, but some of the people I help out cannot (for 
various reasons) and it starts soaking a
non-trivial amount of my time to deal with these issues. At least with 
debian 5, I can install a base level system,
then install X and lastly the DM of my choice (kde, xfce, openstep, 
whatever) and not have to gut the system
to do it.