[Novalug] October Talk -- SELinux for your (grand)parents

Gregory Maxwell gmaxwell@gmail.com
Mon Sep 27 12:39:21 EDT 2010


On Mon, Sep 27, 2010 at 12:05 PM, greg pryzby <greg@pryzby.org> wrote:
> Actually on Fedora I believe it is shipped enabled and it looks like
> many leave it on and don't know it ;)

Depends on how you define "many":
http://smolt.fedoraproject.org/static/stats/stats.html  then click on
the selinux tab.

It's less than half that have it enabled.

Unfortunately many linux "advice forums" seem to respond to every
single permissions related problem with instructions to disable SE
Linux— even when the symptoms do not implicate SE linux,  or when a
simple knob would relax selinux in the minimally amount required to
resolve the issue.

Because of this there is now something of a cargo culture of beginning
all troubleshooting by disabling selinux.  This is really unfortunate,
not only because the users lose the protection of selinux (and,
arguably[1], don't even understand what they're losing) but also
because the Fedora team loses an opportunity to improve the SElinux
infrastructure so that it gets in the way of users less often.





[1] https://www.redhat.com/archives/fedora-devel-list/2008-July/msg00221.html



More information about the Novalug mailing list