Posted Jul 23, 2008 18:14 UTC (Wed) by andrigtmiller (guest, #53053)
Parent article: SELinux and Fedora
I have been using Fedora since Fedora Core 3, and ever since SELinux was available, I have
been running it in enforcing mode. I must say that I have run into problems, especially early
on, and had to play with configuring things that the average user would never understand.
Having said that, today, I have virtually no problems with SELinux, and appreciate the fact
that its on and protecting me.
I do use the SETroubleShoot tool, so I see (in the UI) every time I get an access denied error
with SELinux. Most of the time, even when I do get them, it actually doesn't cause any
problems with completing the task at hand, and I then take the report from the tool and enter
a bugzilla with the information. The Fedora team fixes these issues relatively quickly when
its a policy change that's needed. The last time I had an issue, it turned out that the
policy was fine, but an underlying component was actually doing something it shouldn't be
doing, and that code was fixed. This helps to drive secure coding practices across a wide
spectrum of software, and shouldn't be lightly discounted.
If this wasn't on by default, users like myself would find it difficult to contribute to the
community effort to make this better, and the technology would just languish.
I say leave it on by default, don't give an installation option to turn it off, and let's all
use the tools provided to continue to make it better. I haven't seen a single SELinux Alert
on my Fedora 9 system in about three months, and it continues to get better and better. Let's
stay the course!