On 12/07/2010 08:12 AM, Daniel J Walsh wrote: > > Yes SELinux and all MAC systems require that if the administrator puts > files in non default directories, then they have to have to be told. In > the case of SELinux, this involves correcting the labeling. DAC has > similar problems, in that you need to make sure the permission flags and > ownership is correct. Of course admins have been dealing with DAC for > years so they understand it, and the number of UID/Permision > combinations is more limited then the amounts of labels that SELinux > presents. > > I wrote this paper to try to explain what SELinux tends to complain about. > > http://people.fedoraproject.org/~dwalsh/SELinux/Presentations/selinux_four_things.pdf The fact remains that as the old saw goes: Make it hard enough to do something and people will quit doing it. SELinux remains *hard* for most non-default users. As the lead SE developer, things you find utterly routine and only slightly annoying are major roadblocks to many other people. You aren't the average user. You aren't even close to one. A *sophisticated* user will see the suggestion given by sealeart to run chcon, follow it, *and have no idea that a system relabel can screw it up again*. sealert doesn't even mention the issue! It is as if the person who wrote the sealert messages never considered that people would like things fixed permanently rather than just until the next SELinux update relabels the system. I have 15 years experience running Linux servers. And I find SELinux damn annoying. I can work with it at need - but I'm generally pissed off when I find 'yet another SELinux issue'. My boss, who is the fallback admin here, would find it utterly opaque. He would have no idea where to even start looking for an SELinux issue. The issue is similar to that of using passwords of more than 10 characters composed of random mixed-case alphanumeric characters (ideally with special characters mixed in). Yes - they are provably more secure in a technical sense than virtually any easily remembered system. However *real people* have to use the passwords. And they will put the damn things on taped notes on the bottom of their laptop if you make them too hard (not conjectural - I've caught people here doing exactly that). BTW: You have a typographical error on your semanage example. You don't have a closing ' character on the file_spec. -- Benjamin Franz