chmod -r 7777 ./*

or find that every account in /etc/passwd had UID 0, because people didn’t want to fuss with permissions… in fact your original story covers a meme from Usenet back in the late 1980’s early 1990’s about why DOS was better than Unix or VMS.

The big issue is that commands and usage have changed, and it makes us grayhairs feel like we have to relearn everything which can make us grumpy… but in the end we just have to get over it.

As to Jeremy’s comments, this is not like chmod or chown, because those are well understood, well documented commands using a couple of standard users and modes. It’s pretty easy to deal with users like “root” and “jcm” on my laptop, but I had to manually trawl through many hundreds of possible SE Linux contexts before I discovered which one I should be using. Even after that, I picked the wrong one, had to create a dummy VM and poke at the image to find what context labeling I should have used, before I could just go and do what I had been trying to do an hour earlier. In other words, I lost an hour figuring out just how to create one VM image…this is not ease of use.

Note, I’m not saying “SELinux is pointless”, I’m saying we’re going nuts with policy here. We should be protecting the 80% win case, rather than going for the 20% pain. Let’s protect our servers from compromises in apache, etc. rather than protecting users from themselves. Having said that, I’m not insensitive to the desire to protect ourselves from VM compromise…but the line has to be drawn somewhere.

https://bugzilla.redhat.com/show_bug.cgi?id=452671
https://bugzilla.redhat.com/show_bug.cgi?id=452669

If you wish to participate in discussion relating to SELinux and Fedora, I suggest posting to the fedora-selinux mailing list:

http://www.redhat.com/mailman/listinfo/fedora-selinux-list

Thanks.

Think of ‘chcon virtcon_t’ as exactly the same sort of operation as ‘chmod foo’ and allowing an _application_ as opposed to a user the access to the file. And it is very important to be confining some of these user sorts of applications — or would you like for a compromise in kvm to allow your guest to access any file (or device) on your system?

To some point I agree with you, but on others I don’t. Perhaps SELinux is too complex to understand, but the example you use is exactly the same example I could use about Descretionary Access Control being too complex. I set up my apache server and installed to html files, apache blue up with permission denied I had to

sudo chown apache /var/www/myfile
sudo chmod r /var/www/myfile

It would be nice if virtmanager had labeled the files correctly when they were created but it did not, probably a bug. SELinux can be a pain in the but, but we are now seeing it block vulnerabilities like the latest Flash Plugin and executable Memory/buffer overflow attacks. These are both user space vulnerabilities.

Whether we can ever cover the breath of complexity of Linux with a comprehensive policy is still up for question. But if we could just get the people to realize it is just about the labels.