On Mon, 30 Aug 2010 21:10:12 +0900, Takehiko Abe wrote: >> I've had exactly the opposite experience running SELinux, even with >> hand- compiled applications from a variety of sources - including my >> own. > > You say "the opposite" but you seem to have a lot of problems and spent > fair amount of time because of SELinux. And what you get in return? > Nothing except for a vague notion of "security". I have not spent a large amount of time. Songbird and Mono are the only two troublesome issues I've had since SELinux has been a part of Redhat/ Fedora. I spent 1 hour (and one bug report) on Songbird. I abandoned it because it ran poorly and had multiple SELinux issues. I did spend a few days off and on with mod_mono and friends. I finally decided that even if I got mod_mono running cleanly, any C#.NET programming I needed to do (mostly Java / .NET integration via SOAP) would be better done on Windows. The NVidia issue is well known, documented, and actually mostly taken care of in their install script. Other minor issues, such as the cron file descriptor leak, are normal bugs and taken care of pretty rapidly by the maintainers of various packages. As far as a vague notion of security, I have to confess I have not studied SELinux, so I don't know the material in detail. It's on my list of things to do, but right now I'm in the middle of working on portlets (JSR 286), and some Tomcat configurations which I hope to write up. There is just so much time in the day . . . That being said, one of the particular things that SELinux does that I like is preventing privileged applications from writing where it is unexpected. For example, unless you specifically label a directory for httpd, you'll get an SELinux denial (or warning if you run in permissive mode) when httpd tries to read or write from directories not deemed safe. If you're developing PHP and using the ~username/public_html option to get around having to copy things over as root, this can be a bit of a pain until you label your file system correctly. However, this is a really valuable warning / denial. Many PHP frameworks tend to write temporary files. It would be nice to have the system deny those files if they're not in the expected places. Attackers subvert PHP frameworks all the time. By preventing files getting written to unexpected places, this makes the attack more difficult and the system more secure. I've not had my use of the system hampered or curtailed by SELinux. I'm a pretty aggressive user. Right now I have an IDE (NetBeans), an editor (emacs), firefox, thunderbird, gyachi, pan, a shell, streamtuner, and audacious 2 running as this user. Sometimes I'll also have OpenOffice or Pencil running. I have Apache and MySQL running in the background, and I will be starting Tomcat 6.0.18 and Derby for testing soon (my portal container has issues with Tomcat 6.0.29). I occasionally run IP aliases to simulate multiple machines. Sometimes I'll fire up Google Earth when events happen in another part of the world where friends of mine live. While doing this, I have had absolutely no issue with SELinux. Any small warning (haven't seen one in over a week) I can usually handle by issuing the appropriate SELinux command. I always file a bug report so that people can fix their programs. It's not much that I give back to Fedora (I spend a lot more time on ASF software), but it's a start. As another person has said, if a program gives multiple SELinux warnings and seems to defy any simple attempts at file labeling as a fix, then maybe it's a poorly written program. If the program maintainers are not responsive to SELinux problems, then maybe the programmers have too much on their plates to properly maintain their contributions. In any case, there are almost always other packages that perform the same tasks without the SELinux issues. Of course, you always have the option of turning off SELinux. It's been my experience that turning off SELinux is not necessary. Personally, I like knowing when a potentially unsafe operation is happening on my system. I actually learn a bit about security. I then change my habits and become a more security-conscious user, programmer, architect, system administrator. Learning new stuff is not a bad thing. In fact, it's pretty fun. . . . just my two cents /mde/ -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
