Re: selinux is a pain
- From: Robert Nichols <rnicholsNOSPAM@xxxxxxxxxxx>
- Date: Tue, 20 Sep 2011 19:59:11 -0500
On 09/20/2011 03:10 PM, Alan Cox wrote:
In some perhaps. The big cases it helps are desktop (mostly protecting
against browser stuff) - where it usually just works, and web serving,
where it's most definitely valuable but does mean reading the docs.
I always find it interesting when people say that, since the browser
actually runs unconfined**. There is a boolean that confines browser
plugins, but its default state is OFF, and quite a few things stop
working if you turn it on.
Even with all the nonstandard things I do with my system, I'm still able
to run with SELinux in enforcing mode quite nicely. Prior to about
Fedora 12, I couldn't do that. The tools to allow mere mortals to
analyze problems and make needed policy changes weren't up to the task,
and each new Fedora release made changes that forced you to throw out
much of what you had learned and work it all out again. That now
seems to be all in the past. My biggest problem these days is that I
have so little need to use the tools that I forget how.
** I'm running CentOS 6 on my primary machine. Perhaps things are
different in the latest Fedora release.
# ps -Z $(pgrep firefox)
LABEL PID TTY STAT TIME COMMAND
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 31756 ? Sl 2:26
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.
users mailing list
To unsubscribe or change subscription options:
- Prev by Date: Re: Samba problems. Samba master fight with Linksys E4200 wireless router with storage ?
- Next by Date: Re: selinux is a pain
- Previous by thread: Re: selinux is a pain
- Next by thread: Re: selinux is a pain