I frequently end up disabling SELinux because it has a nasty habit of getting in my way while not actually protecting me from actual exploits, only updating the system in a timely manner actually does that.
Anyway I always leave it enabled after initial install but then I use it stuff like this keeps happening:
The directory tt-naron-mini-edition is in /usr/local/share/fonts where fonts that are system-wide but not managed by the package manager belong. The directory is owned by root but has read permission for system-wide use.
How the f*** do I configure SELinux to leave things like /usr/local/share/fonts alone because I sure as hell don’t want to have to mess with looking up and applying contexts every time I install a font, and I can’t see anything SELinux protects me from in that respect that standard UNIX permissions don’t already protect me from.
Hasn’t anyone yet developed sane SELinux defaults that don’t get in our way?
I’d rather not have to mess with selinux contexts when copying files into /usr/share/local/fonts which is the standard location for fonts - SELinux isn’t protecting me from anything, it’s just getting in the way in that case. If the font is a trojan file maybe there’s some protection but I doubt it, most trojans know how to get around SELinux anyway.
I understand the need for anal retentive SELinux policies on servers that handle things like medical data, but why does it have to be configured by default to get in the way with zero actual benefit to the user?
Fedora 20-40s on desktop I’ve seen a SELinux notification once somewhere in 30s. I restorecon stuff anyway but I don’t notice SELinux on Workstation.
Server is a different story though (SELinux is way more noticeable there )
openSUSE Tumbleweed has an install-time option to choose AppArmor, SELinux, or None. I figure if I’m using Fedora then SELinux is expected to be enabled (longstanding default), but if I was considering turning it off I’d use another distro.
)