Thomas Cameron via users writes:
Have you watched this video? https://www.youtube.com/watch?v=_WOKRaM-HI4 The slides are available at https://people.redhat.com/tcameron/Summit_2018/ selinux/
No, but I will.
SELinux generally only throws errors if you're doing something unexpected. I
I wouldn't call running something from cgi-bin "unexpected". That's a hard sell, but if I install something on Fedora in cgi-bin, I need to write an SELinux policy for it.
I think that SELinux needs to be simple enough to learn by anyone, with a minimum amount of effort, with readily available resources and and reference material. There should be an SELinux equivalent of C++'s cppreference.com. C++ has become its own Frankenstein's monster, over the years, but I can always find what I'm looking for, on cppreference. Until SELinux has a much lower learning curve, I think it is harming Fedora by making it hard to package anything that gets dropped into cgi-bin. Here's the gobbledygook I had to cobble together:
https://github.com/svarshavchik/libcxx/blob/master/packaging/fedora/libcxx.teI don't even remember how I came up with this. But I think this is just one of the reasons why Fedora's popularity has slipped over the years: having this kind of a high barrier to entry.
How about another example of "unexpected": running a Qemu VM that talks to a USB port: https://bugzilla.redhat.com/show_bug.cgi?id=2343411 – and I filed a small collection of these. It looks to me like it passed triage almost a year ago, so it wouldn't get auto-closed. I'm not knocking anyone, everyone's time is limited, but the fact that something like this is taking so much time to unravel doesn't help with Fedora's usefulness.
Or, another example of unexpected event: connecting to a WiFi access point: https://bugzilla.redhat.com/show_bug.cgi?id=2362879 – /run/NetworkManager/ no-stub-resolv.conf's SELinux context kept getting clobbered, for a long time. This one's has already been errata-ed, but I'm still getting AVCs on no-stub-resolv.conf, from time to time. I just don't have the cycles to prepare a report for it.
But, thanks for the kind offer.
pgpqPGlZ_Q7GH.pgp
Description: PGP signature
-- _______________________________________________ users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
