| |||||||||||||
|
| |||||||||||||
Not reallyNot reallyPosted Jul 10, 2008 18:03 UTC (Thu) by dpquigl (subscriber, #52852)In reply to: Not really by jschrod Parent article: SELinux and Fedora
2) I would like to have seen the error that he was getting from postgres but I have a feeling if you ran it through one of the several tools it would have become apparent that postgres didn't have permission to follow symlinks. However, this stems from needing to know that there is a difference between symlinks and directories so even if it was clear in the message it would need further explanation. 3) I agree that SELinux documentation is lacking at the moment but there are several efforts currently going on to work on this. I have been preparing a series of tutorials and presentations for educating people about the security model SELinux implements and how to configure a machine in non-standard ways such that it still works with SELinux. Also there is now someone working full time to generate documentation for SELinux. 4) We have seen this complains come up quite a few times and we can't figure out where it comes from. Have you had personal experience with someone in the community treating you this way? When I first started learning about SELinux I had many questions and the community was very helpful and didn't make me feel stupid for asking them. If you have specific examples of this I'd be glad to see them. It is possible that this might be a residual complaint from the early days of SELinux that has hung around like some of the other complaints people have about SELinux.
(Log in to post comments)
Not really Posted Jul 10, 2008 18:12 UTC (Thu) by dpquigl (subscriber, #52852) [Link] I forgot to mention, if there is anything you would like to see in the SELinux documentation feel free to send suggestions to the mailing list and we will see about integrating them into the documentation list.
Not really Posted Jul 15, 2008 8:24 UTC (Tue) by mauvaisours (subscriber, #6130) [Link] I've been hurt by SELinux some years ago, when installing a server that I needed for a quick demo. At that time, I was only semi-aware that RH had turned SELinux on by default. So when things got wrong (from my point of view), I was completely baffled. The big black point of SELinux is that it does not show up in standard commands [ls, ...], so that the message you get is "permission denied", but you have no way of knowing why. And the documentation was (is?) so thin on the subject that all I could do (at the time) was just shut it down, and as I was too busy, I never looked at it again, and I disable it on all new installs. So my guess would be : 1/ Write an extensive documentation 2/ Make people read that doc (it's not that hard. I would.) 3/ Include that documentation on standard distros. 4/ Turn SELinux on by default. It was done in the wrong order.
Not really Posted Jul 15, 2008 18:44 UTC (Tue) by nix (subscriber, #2304) [Link] Hah, I wish. It is *very* hard to get most people to read any documentation at all, generally because they don't care about SELinux (or any security system protecting against *potential* threats) until it causes problems, by which point things have already gone wrong. (If they're not running it they may suddenly start caring when they get rooted, but that, again, is too late.) Nobody knows how to resolve this particular dilemma :(
Not really Posted Jul 15, 2008 19:38 UTC (Tue) by mauvaisours (subscriber, #6130) [Link] I agree that nobody knows how to resolve this dilemna, but pushing a new undocumented security model to users is certainly not the way to go.
|
|
||||||||||||