Originally posted by hauberg
View Post
Announcement
Collapse
No announcement yet.
Fedora 34 Aims To Further Enhance Security But Will Lose Runtime Disabling Of SELinux
Collapse
X
-
Originally posted by droidhacker View Post
SELinux works well in very static situations. Works well for Android. The problem with it on something like Fedora is that everybody configures it to their own needs.
- Likes 1
Comment
-
Originally posted by hauberg View Post
I agree that SELinux + editing of random config files is a time consuming combination. However, configuring the system using the default GUI should not bring any sort of conflict with SELinux. Since stuff like that happens somewhat regularly, SELinux quickly get a poor reputation with non-sysadmin users.
Comment
-
Originally posted by hauberg View PostSELinux is one of those things where more work is needed to reduce the amount of paper cuts here and there. For instance, in Fedora you cannot use the default Gnome gui for setting up OpenVPN using certificates. SELinux will block but you never get any message about this (unless you know where to look), the VPN connection just fails. It's great that SELinux is being pushed harder, but it sure would be nice if an effort was made to reduce end-user facing paper cuts.
Fedora should probably patch that GUI to only allow choosing files from that one secured directory.
Comment
-
Originally posted by Zan Lynx View Post
Yeah. I think I ran into that OpenVPN thing a while ago. If I remember correctly, there's a directory you're supposed to use for the certificates or secrets. But nothing in the GUI limits you or hints about it. I remember that you certainly can't use $HOME/Downloads
Fedora should probably patch that GUI to only allow choosing files from that one secured directory.
- Likes 1
Comment
-
I find "permissive" to be useful when used in combination with audit2why or audit2allow. Without it I find that sometimes I'll see the offending error with ausearch, then use audit2allow for example to create a new policy to fix it... Then the application is still broken. What gives? Run ausearch again and ah... I got past that error but now there's a NEW error. By putting it in permissive first, now ausearch will show multiple errors. You can pipe all of those into audit2allow to generate one policy that addresses all those errors in one policy and avoid that game of whack-a-mole. Just gotta make sure you flip it back into "enforcing" when you're done.
Comment
-
SELinux also saved me a few times from some spotty binaries I thought I knew the origin.
Most of the issues I had with it were mislabeled files. Just ran "touch /.autorelabel," rebooted and it stopped bothering me (usually happens after in-place upgrades).
Comment
Comment