SOT: virtualization

Craig White craigwhite at azapple.com
Wed Dec 23 13:06:54 MST 2009 

On Fri, 2009-12-18 at 03:51 -0700, Technomage wrote:
> Craig White wrote:
> > On Tue, 2009-12-15 at 18:46 -0700, Technomage wrote:
> >   
> >> Fedora: forces you to run SELINUX regardless of whether you need it or
> >> not
> >>     
> > ----
> > this is simply wrong.
> >
> > On Fedora 12 (the latest version released a few weeks ago)...
> >   
> I was running fedora 11 and even with the settings as listed below, it 
> was still attempting to run.
> also, its settings manager was rather a bit less intuitive than I would 
> have liked (not very
> blind friendly).
> 
> > # head -n 5 /etc/selinux/config
> > # This file controls the state of SELinux on the system.
> > # SELINUX= can take one of these three values:
> > #       enforcing - SELinux security policy is enforced.
> > #       permissive - SELinux prints warnings instead of enforcing.
> > #       disabled - SELinux is fully disabled.
----
disabled actually means disabled...you can't get any more disabled than
disabled and if it is actually disabled, it doesn't run, period, end of
story.
----
> >
> > if however you had the slightest bit of understanding of SELinux, you
> > would have known that on any system, you can append 'setenforce 0' to
> > the kernel boot parameters to disable SELinux at startup.
> >
> >   
> as a desktop user, I am not required to have an understanding of an 
> enterprise class security tool.
> I personally think that its rather unnecessary to have running (let 
> alone installed). For the application
> that I had tasked the machine, it was downright intrusive in allowing my 
> to operate the machine.
----
That sort of invites a discussion of grey areas.

Red Hat clearly considers SELinux to be Enterprise Class Security which
is why they include it.

Fedora provides a test bed for new software, new SELinux policies, new
administration tools and many of them have been included in the 4.6,
4.7, 4.8, 5.2, 5.3, 5.4 updates.

You are not alone in wanting to disable it to allow stuff that you wrote
yourself or built from tarballs because there isn't existing policy for
that so you have to create it yourself.

Security is built on layers and SELinux is just another layer and it
really isn't that difficult to manage but you do have to invest time and
energy to learn how to use it...which is why some people just shut it
off.

Back to the original assertion though... disabled means disabled.
----
> the effort of building a kernal would have not been worth the expended time.
> > I am quite sure that 'forcing' a user to run SELinux on Fedora has never
> > even been discussed by serious people. You can permanently disable it on
> > 'first boot' which is where you configure things like networking, users,
> > startup services, firewall and of course, security.
> >   
> unfortunately, the install routine for FC-11 didn't give me that option 
> (and the install gui is not the most
> blind/VI friendly)
----
maybe you should bugzilla your experiences to identify where the
install/first run failed to meet your needs so that it can do better for
the next user or your next experience. The theory being it isn't a bug
if it's not in bugzilla.
----
> > As for your assertion that Fedora has 'dependency' issues... I simply do
> > not ever have dependency issues with Fedora but if your analysis of
> > dependencies is similar to your analysis of them 'forcing' users to run
> > SELinux, then I would accept that you have had your share of problems.
> >
> > Craig
> >   
> heheh. yeah....my analysis isn't anywhere near a professional one. its 
> taken from the POV of an end user
> that simply wants a system that "just works" without a lot of hassle and 
> deep level configuration. I can do
> a lot of this work, but some of the people I help out cannot (for 
> various reasons) and it starts soaking a
> non-trivial amount of my time to deal with these issues. At least with 
> debian 5, I can install a base level system,
> then install X and lastly the DM of my choice (kde, xfce, openstep, 
> whatever) and not have to gut the system
> to do it.
----
we are all end users. Fedora gives you a choice of dm's like any other
distro without 'gutting' the system. There are a lot of people who
believe it just works - I guess you are not one of them. Not a big deal
but your conclusions that you are 'forced' to run SELinux or have to
'gut' a Fedora system in order to choose another Desktop Manager are
wrong and anyone that thinks you know what you are talking about will
get the wrong impression.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the PLUG-discuss mailing list