After installing F12 on my laptop, and leaving the default packages untouched - except to add a few extras - I find myself using SELinux for the first time, and I'm not sure if it's worth it or not.

My first question is, for your average desktop user, where the network itself already handles most security instead of the desktop PCs and laptops connected... is it really any use/help to me?

My second question is, why is it, whenever I launch a Wine program, all themeing (IE the selected GTK Controls, colors, icons, pointers etc) is reverted back to the Fedora standard, forcing a restart to get it back to normal?

And my third and last question is, how do I remove it? Not just disable it, but short of a complete re-install, is there any way to take it away as completely as possible?

Thanks.

There is a time and place for SELinux, on a desktop box that isn't exposed to the internet may or may not be it depending on your security outlook.

There is no need to actually fully remove it in reality, a simple sestatus will tell you if its active or not and if it reports 'disabled' it isn't going to effect anything on your system negatively.

My biggest gripe with selinux is that it tends to cause programs to fail without giving clear indication of *why it failed* or what caused the failure. It often takes some time and research to figure out that selinux is the reason for the program failing and often by then the user is so flustered that they just disable it entirely to avoid the problems in the future.

If you have the time take it and learn to work with selinux, you will be more secure for it, but expect to occasionally be annoyed with it and to have to spend some time granting permissions through selinux to applications and daemons.

edit: on my servers it typically is enabled, on my desktop typically not.

I have it set to disabled, yet it still seems to get in the way, and still seems to be running, when I'd rather it wasn't.

Security-wise, I think it's I'd like to remove it, but I don't know which packages - I've had a look through, and some of them seem to be needed outside of SELinux, others don't, so exactly which ones to remove is, to me, questionable.

Could you explain in detail what you mean by that?

Asking a question that way implies that regardless of asking questions you have already made up your mind.

While I like GRSecurity for its strenghts and TOMOYO for its ease of use there is no realistic equivalent in the GNU/Linux world that is maintained and supported, that gains adaptation and that helps distributions get EAL4+ certified like SE Linux does. It is worthwhile enabling not only for those reasons but also also because it is combat-proven. Searching the 'net will show proof. What's more is that everyone enabling it can help make it better just by running it and adding tickets to the bug tracker when modifying the local policy doesn't make things work. Turning off SE Linux completely is not helping Fedora, the LQ Community, SE Linux and you. IMHO. Instead of trying to removing it, which you essentially can't since a lot of applications are compiled to be SE Linux aware, I'd suggest you move to another distribution if you aren't prepared to help out.

* BTW your second question is not about Linux Security and should be broken off to its own thread in either the Fedora or Newbie forum.

My mistake on the second, I'll handle it later.
As to the network security, I've never had a problem with the current setup, so I'm leaving it as is.

As to the rest... I've moved distro once already to one that is easier to me, unless someone can explain the Slackware ISOs to me so I understand what the difference is, and which one I need to get the equivilent of a standard Ubuntu livecd for that distro, I don't intend on changing.
So removing/disabling SELinux might not, in general help the communities, but I seem to have a range of problems it causes - such as, my second issue, nothing Wine-related can run without gnome losing all theming, sometimes Wine applications fail to run, etc.
Permissive mode just seemed to lessen the irritations it gave me, which is why I've disabled it, and I don't want it. Fedora itself, I don't mind.

That's not what I asked for.


What you've asked for here isn't Linux Security-specific either. Please ask such questions in a separate thread.


We're quite a helpful bunch overhere but unless you post details that claim remains unsubstantiated.


If there's problems with WINE and SE Linux then they should be fixed. Helping Fedora improve should be considered part of using it.

I know it's not what you asked for. The network security setup isn't relevent.
And I apologise for posting this in the wrong place, I thought this was the better place to put it seeing as it regarded SELinux.

My main issue is that SELinux is hampering the usability of Fedora on my laptop. So unless there is a means to... lessen it's impact on the computer, I would rather have it not on the computer.

You just need to disable SELinux (using the GUI) and reboot the system
http://www.linuxtopia.org/online_boo...le-enforcement

Frankly I'd leave it running, it's there for a (very good) reason, but it's your choice.
Defence in depth dictates you never rely on other systems to do your security for you.

SELinux is not hampering your usability of fedora if it _IS_ disabled. It is disabled on boot-up (if you disabled it correctly).


As for removing it. Do yourself a favor and dont try. SELinux is part of the kernel. You need to compile a new kernel and disable it yourself. SELinux has been turned on by default since Fedora core 4-5 IIRC. And as unSpawn stated it is intergrated into most Fedora applications. There is a reason that Fedora, Gentoo, Ubuntu and many other support SELinux.



and for your network comment. If you truely believe that the network fully protects your system from buffer overflows, malformed packets, etc., then you should surely keep SELinux enabled 100% and go do some research before thinking about disabling SELinux.


-Slimm

Heh, thanks. Basically I was going to try and make him see that by asking the right questions but cutting things short with this kind of in your face reply should do nicely too :-]

Not really.
I'm satisfied now. I found out what I needed. Just leaving it disabled seems to be better for me.

I ran Fedora on my netbook for a time. I found that selinux would block some things the first few days (such as playing flash) but after a week or so, it didn't raise a peep. It would be worth while leaving it enabled and tweak it. After a time, the biggest problem is forgetting which command to run because doing so is so rare.

I would to, except so far, I've not found any point to enabling it, except to have it complain at everything I try to do. Permissive just seemed to wait until I was just about to save my work, and then crash everything, then complain at me.
Since neither was of any use to me, I disabled it instead.

As the OP has already made up his mind and isn't willing to listen (as I correctly indicated before) I would kindly advise my fellow LQ members to leave this thread rest.

You appear to have erroneously jumped to the conclusion I haven't been listening.
I have been.
And as you apparently 'correctly' indicated I had made up my mind, I was at that time not certain. I was merely asking how to do it, should I have decided to remove it.

From what you and others have said here, I conclude the following about SELinux:
It is there to autonomously report bugs to the communities of either it, Fedora, or both. I do not want this. If I choose to submit a bug, I want it on my terms, not on a program that doesn't ask. As people in this thread seem to have trouble interpreting what I've been saying, I'll also clarify by saying that I don't know for certain if this is the case - this is merely based off what you have told me.
I also conclude that it has no place on a desktop PC connected to a network that has never had any issue larger than an occaisional port scan, which has since been prevented from re-occuring. Yes, as a matter of fact I do have a separate computer monitoring and handling all network traffic, at little cost to speed. And I do regular checkups on all PCs. They have never returned any issues or malware.
Finally, I see no reason why I should use it, since it seems to do nothing inconvenience me. I fail to see the reason any distribution would want it installed by default for a standard user. A server I could understand, but not a desktop.

And if you suggest changing distro again, then I expect you to explain which ISO of Slackware I'd need. Otherwise I'm here to stay on Fedora, except when I'm on the Ubuntu PC - but that's not mine, so I have no say there.

Feel free to correct me. Unless you're sticking to the theory that whatever I say is wrong, as so many people seem to lately.