This does strike me as a little sloppy. If Fedora installs it, shouldn't Fedora set selinux to allow it? Maybe I'm missing something...
Not necessarily. For example, when you enable Samba, you have to further enable an selinux setting if you're going to be sharing home directories via Samba. Otherwise, the requests are rejected by default. The idea here is that while a particular program may allow a variety of things to be done, you can use selinux to block things in a fine grained way, external to that program.
Why is this better than just not configuring the program to do things you don't want in the first place? The answer to that is the program itself might get subverted through something like a buffer overwrite.
Generally speaking, in the security world you default to the most restrictive behavior and administrators loosen up the restrictions as needed. This, of course, tends to annoy everyday users who don't realize all the insecurities of what they want to do, and just want it to work. I mean, all those flashing red lights and sirens can be annoying when all I want to do is start a little campfire over there next to the gas cans.
Make sense?
Wayne.
-- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
