I have been using Fedora since Fedora Core 3, and ever since SELinux was available, I have been running it in enforcing mode. I must say that I have run into problems, especially early on, and had to play with configuring things that the average user would never understand. Having said that, today, I have virtually no problems with SELinux, and appreciate the fact that its on and protecting me. I do use the SETroubleShoot tool, so I see (in the UI) every time I get an access denied error with SELinux. Most of the time, even when I do get them, it actually doesn't cause any problems with completing the task at hand, and I then take the report from the tool and enter a bugzilla with the information. The Fedora team fixes these issues relatively quickly when its a policy change that's needed. The last time I had an issue, it turned out that the policy was fine, but an underlying component was actually doing something it shouldn't be doing, and that code was fixed. This helps to drive secure coding practices across a wide spectrum of software, and shouldn't be lightly discounted. If this wasn't on by default, users like myself would find it difficult to contribute to the community effort to make this better, and the technology would just languish. I say leave it on by default, don't give an installation option to turn it off, and let's all use the tools provided to continue to make it better. I haven't seen a single SELinux Alert on my Fedora 9 system in about three months, and it continues to get better and better. Let's stay the course!
Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds