[onli]

I just fixed a bizarre problem on Fedora by disabling SE. By the way, the user is using a PC I configured with used hardware, partly from me. It's supposed to be a just-works system, meaning that it runs Fedora and I did no special configuration at all.

That was the error description I got: "When starting the network does not work. I have to do a lot of things to make it work." Later I got more infos: "It says there are 7 errors. If I let it fix it it has to restart and then works".

It turns out that these 7 errors are all SE-Linux-Errors. Something about /etc/resolv.conf not being readable. The error helper suggests to fix it for now and also some command to fix it permanently, those commands fail and do nothing. So of course I just deactivated that SE-bullshit.

Really, fucking vanilla Fedora on a mainstream Gnome3 desktop. What the hell are they thinking?

[lima]

If you'd post the actual errors, I'm sure we could help you with that.

[onli]

You mean the actual error message? Sorry, it's already solved now and I didn't write it down. It was in Spanish, so I also don't remember how it was worded. But its content is correctly described above: Unable to open /etc/resolv.conf.

And btw, that is exactly what I don't want. I do report errors, I solve bugs. But I don't want to debug SE-errors, which just because of its paranoia makes perfectly normal usage impossible, so far that distros that enable SEL spit out errormessages immediately after installation.

I don't see its purpose anyway.

[seanp2k2]

The main value in SELinux is to protect apps against things they should never be allowed to do (like your web app reading /etc/shadow or notepad listening for network connections) so that even if they get hit with a 0day, they're still not really vulnerable because the SEL stuff blocks all the bad things they could do. It really truly works in practice to prevent a bunch of bad stuff. In reality though, most people just disable it because it's a pain to learn and deal with.

[onli]

I know. But thanks for the answer. It is not what I meant, but it responds to what I wrote.

A security-solution that makes normal use impossible is not a solution. Security solutions never work if they make usability worse. SELinux goes farther, it also makes functionality worse till impossible. That is what I meant when I wrote that I don't see the point of it.

Something like that can be a good solution if you are manually hardening a specific process. As a general security solution it is completely unfit. I don't see the point of pushing it for that. Fedora should never have activated it.

[testUser69]

I've used Fedora on the desktop for about five years and never had this issue. Maybe they were thinking you shouldn't change permissions on files in /etc unless you know what you're doing?

[onli]

I did not change any permissions. Like I said, no modification from my side. Vanilla Fedora.