Matthew Saltzman wrote:
On Mon, 3 Apr 2006, Robert Nichols wrote:
Craig White wrote:
The policy updates from Fedora have been frequent and are automatically
installed/applied
True, and they might even be workable on a system that is set up
with 100% standard file system structure and users whose interaction
with the OS is limited to clicking on icons. Add a separate
filesystem for large downloaded files or have a user that uses the
(gasp!) command line to do bizarre things like redirect the output
from ping onto a file in his home directory and SELinux starts
blocking you at every turn unless you can spend the time to become
an SELinux guru and figure out what needs to be tweaked in the
policy or attributes to fix things _this_ time, and try to guess
how badly that change will break when tomorrow's policy update gets
installed.
This (blocking redirected pings) seemed bizarre to me, so I brought it
up on the fedora-selinux list.
Good News: I had the resolution in about 45 minutes.
Bad News (maybe): It's apparently an actual bug. I will bugzilla later
if Robert doesn't relent and do it first.
Sort-of Good News: Once it's fixed, that issue will be resolved,
presumably for good.
Bad news: SELinux is *itself* something which reduces security.
The more code you load, the more exploitable defects get loaded.
And SELinux isn't small.
Mike
--
p="p=%c%s%c;main(){printf(p,34,p,34);}";main(){printf(p,34,p,34);}
This message made from 100% recycled bits.
You have found the bank of Larn.
I can explain it for you, but I can't understand it for you.
I speak only for myself, and I am unanimous in that!
