| |||||||||||||
|
| |||||||||||||
Not reallyNot reallyPosted Jul 15, 2008 8:24 UTC (Tue) by mauvaisours (subscriber, #6130)In reply to: Not really by dpquigl Parent article: SELinux and Fedora
I've been hurt by SELinux some years ago, when installing a server that I needed for a quick demo. At that time, I was only semi-aware that RH had turned SELinux on by default. So when things got wrong (from my point of view), I was completely baffled. The big black point of SELinux is that it does not show up in standard commands [ls, ...], so that the message you get is "permission denied", but you have no way of knowing why. And the documentation was (is?) so thin on the subject that all I could do (at the time) was just shut it down, and as I was too busy, I never looked at it again, and I disable it on all new installs. So my guess would be : 1/ Write an extensive documentation 2/ Make people read that doc (it's not that hard. I would.) 3/ Include that documentation on standard distros. 4/ Turn SELinux on by default. It was done in the wrong order.
(Log in to post comments)
Not really Posted Jul 15, 2008 18:44 UTC (Tue) by nix (subscriber, #2304) [Link] Hah, I wish. It is *very* hard to get most people to read any documentation at all, generally because they don't care about SELinux (or any security system protecting against *potential* threats) until it causes problems, by which point things have already gone wrong. (If they're not running it they may suddenly start caring when they get rooted, but that, again, is too late.) Nobody knows how to resolve this particular dilemma :(
Not really Posted Jul 15, 2008 19:38 UTC (Tue) by mauvaisours (subscriber, #6130) [Link] I agree that nobody knows how to resolve this dilemna, but pushing a new undocumented security model to users is certainly not the way to go.
|
|
||||||||||||