[YLUG] Fedora usability [was Re: clone fedora 10]

[mike cloaked]

On Mon, Jan 5, 2009 at 10:29 AM, Arthur Clune <arthur at clune.org> wrote:
>
> On 25 Dec 2008, at 22:59, mike cloaked wrote:
>
>> F10 has some very cutting edge stuff and the new stuff is known to not
>> work in specific circumstances
>
>
> I really hate to start distro wars, but ....
>
> I used to be a RedHat user, starting with 5.2 and continuing on as RH
> changed
> to Fedora. I now think that Fedora is too bleeding edge to use on a
> box you want

OK Arthur we are all entitled to our opinions based on our experiences.

However I have, over the Christmas period, installed Fedora 10 on 6
machines, and on all of them I have left SElinux enforcing.

Yes I did have a few issues to resolve with SElinux denials, and
especially as I was moving from previous versions where SElinux was
disabled to the new system and also utilising partitions that were
untouched from the previous non-SElinux versions.

However I have now learned enough about SElinux that I was able to
resolve all the issues that remained, and I now have all 6 machines
running for the past week with not a single AVC denial, and one of the
machines is a server running the main dns/dhcp etc for the LAN.

I am sure that there will be other issues that arise when I configure
one of these machines as an NFS server before too long and run a
laptop as the NFS client over wireless.  However my experience is that
SElinux has for the first time reached the point where it is actually
largely usable on a day-to-day basis on a desktop/laptop/server.  As I
said there will doubtless be some issues that will need resolving but
there is an SElinux list for Fedora users, and there are people who
run the main Fedora SElinux policy who regularly help answer queries
there, and also will include new policy upstream as a result of
resolving issues on that forum. These then get implemented at the next
set of targeted policy updates via rpm.

I have a brother in the USA who installed Fedora 10 on several
machines over the vacation also, and he did come across some SElinux
particularly concerning a somewhat complex server setup involving
reverse proxy on squid. However in general he has resolved his
remaining issues. However he feels happier leaving SElinux permissive
and then resolving avc denials as they occur. When he has had none at
all for some period then he will switch to enforcing.

On the smolts statistics page (
http://smolts.org/static/stats/stats.html click on the SElinux tab )
it appears that something approaching 70% of Fedora users have SElinux
enabled and about 62% leave it enforcing now. Not everybody wants it
and of course you can switch it off ( or set it permissive) if you
don't want it enforcing.  However it does give an added layer of
protection against the small chance that a bad guy gets in to a
machine - it constrains what can be run/executed and particularly
where servers visible to the external world are concerned that is
surely not a bad thing to have.  However everyone is free not to use
it, but in a world where there are ever more bad people out there
trying to trash your machines or get access to sensitive information
every additional layer of security helps. You can of course allow
users different levels of contraint, but it does need survival of a
learning curve to get going.

There were some install issues also but on specific hardware where
there are known bugs - there is a common bugs page for Fedora users
where these get listed once they are identified and reported. There is
a known xorg issue for Fedora 10 with machines that have the Intel
integrated 82845G graphics chip for example and these are currently
not yet resolved. These are not related to SElinux though but to xorg
drivers.

I am not experienced with other distributions but I would expect there
would be issues with some combinations of hardware for every
distribution but may be less with those using older more stable
packages.  RHEL is based on Fedora 6 currently which is about 2 years
old.

I don't know Ubuntu at all, and I know it has a similar popularity
level to Fedora in terms of approximately the same number of
installs/updates - but I don't know if a similar fraction of hardware
has problems with Ubuntu as with Fedora?

Happy New Year

-- 
mike