Re: SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 30 Aug 2010 13:29:51 +0900, Takehiko Abe wrote:

>>> I would advise Patrick to disable Selinux. I've made that decision
>  >> long ago because it gives me more problems when enabled that I can
>  >> possibly solve. IMHO the user interface is so bad that selinux is
>  >> unuseable for an ordinary enduser.

Huge rant against SELinux deleted . . . .

I've had exactly the opposite experience running SELinux, even with hand-
compiled applications from a variety of sources - including my own.

I've had some issues with understanding how SELinux works - the latest 
being not able to pipe output to root's home directory. However, in 
retrospect, the restriction is good and one that is easy to solve (pipe 
to /tmp, then mv or cp).

The last two nightmare SELinux issues I had were with Songbird and the 
Mono server that enables Mono on Apache. Both had multiple problems, and 
to me it's indicative of sloppy coding. I decided not to run those 
applications. This is probably a wise decision since Songbird for Linux 
is no more. I've yet to see a satisfactory configuration of Mono and 
Apache on Linux that doesn't entail disabling SELinux. Since I'm not 
a .NET or C# fan, I'll happily do without.

I think in a home environment the key has been to run in permissive mode. 
Then you get all of the warnings along with how to fix the problem. An 
added bonus is that you can submit bug reports about SELinux with the 
hope of making it better and more seamless. Once you don't get SELinux 
warnings for a few days, you might think about running in strict mode.

The only continuing nag that I have now is NVidia's proprietary driver. 
Fortunately I have a script I run after building the driver to take care 
of any lingering SELinux issues. I prefer installing the driver by hand 
(as well as tweaking xorg.conf and overclocking my graphics card) rather 
than depending on rpmfusion.org. They provide a fine service (and I use 
some of their other packages), but I've had no trouble building the stock 
NVida drivers.

. . . . just my two cents.

/mde/

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux