Tim wrote:
Ian Malone:
The 'correct' solution seems to be to use chcon -t texrel_shlib_t on
every file that has this problem (use dmesg to hunt them down).
Tim:
I'm not sure I'd do that on "every" file that generates that warning.
Some of them probably shouldn't be allowed to do that, that's why
there's a restriction for that sort of thing.
Ian Malone:
I'm sure you're right, but I have no idea even what I'm allowing
them to do, and very little incentive to invest the time in SELinux
to find out how to make the decision. (And I'm sure that path
ends up with me trying to security audit every package on my
home machine which would be craziness.)
If you don't have time to get it right, you might as well not use it.
The what's it there for? By comparison udev isn't something that
demands my attention all the time.
Having SELinux on, but allowing everything, isn't doing you any good.
Maybe I was being a bit flippant when I said everything. It just
seems that way sometimes.
It can even cause you problems: Permissive mode isn't completely
permissive, it's been found. And some people find SELinux slows their
systems down.
Then why is it on by default if permissive mode is broken and the
advice to people who experience problems is to turn it off and forget
about it?
--
imalone
