:-) On Thursday 18 October 2007 18:58, William Case wrote: > I believe the problems is in RTFM. There is no FM manual to read. I started with man selinux, and read on what was suggested in the "see also" section from there, focusing on what seemed most interesting. Given the particular problem I had, I found out that the answer Dan Walsh kindly provided for me here on the list was precisely in the "examples" section of one of the man pages. > Since SELinux is a major alteration to the kernel, there should be > equally as extensive and informative documentation and explanations - > starting with the simplistic up to the detailed. Appropriate assistive > guis would be welcome. Think of it as an extension to the concept of permissions. That's as simple as one can get (actually, SELinux is probably much more complicated, but from a naive user's perspective it looks pretty much the same). When something does not work, look at /var/log/messages, and find out that your program has some_label_t while the object it tries to access has some_different_label_t. The nontrivial part is to understand that two labels are "incompatible", why is that so, and what is the proper solution. The learning curve may seem steep, but this was also the case when one is not familiar with usual unix permissions system. However, I don't see any people whining that permissions are "too technical", or "not useful for ordinary user" or "too buggy and introduce vulnerabilities" or "there should be a way to uninstall them". Just like permissions, SELinux is not a package, it is a Way Of Things, a paradigm that is useful and brings more control to the user. Furthermore, I have been a Win* convert for several years now, and have not so far RTFM on unix perms, ever (other than man pages for chmod, chown and chgrp). Yet still, I learned to use them and resolve any issues that might appear. I am not even sure that there is a FM for that at all... ;-) > Meanwhile, until the day comes that I have the time for intensive study, > I will leave SELinux in permissive mode. That would be analogous to using the root account for regular work, just to avoid problems when "permissions denied" message appears to an ordinary user account. And we all know that is a Bad Idea. Best, :-) Marko Marko Vojinovic Institute of Physics University of Belgrade ====================== e-mail: vmarko@xxxxxxxxxxxx
