One of the reasons I dislike SELinux
I have a fixed personal opinion that systems should not spew kernel messages in the course of normal system operation, and especially not over the console. As I am busy finding out, yet again, SELinux fails this test in at least some circumstances on Fedora Core 5.
(Possibly the circumstances were odd, since my FC5 install hadn't managed to run the 'firstboot' stuff due to the un-upgraded X server crashing on this machine's hardware. Still, I brought it up in a normal runlevel 3 multiuser boot and started getting the spew when I did a 'yum update xorg-*'.)
Software should be silent in general logs unless either something is wrong or I have specifically asked for the information to be logged. I have not asked SELinux to natter at me, and if the stock SELinux configuration on a stock Fedora Core 5 machine has something wrong, I don't exactly want to be running it.
The idea that SELinux should log this stuff to kernel logs 'just in case' doesn't scale. SELinux is not the only kernel subsystem that might to log things just in case, and if everyone does it the kernel log buffer would probably roll over in about sixty seconds flat.
The right way to log this sort of just in case information is to put it in some special place, just for it, so that no one has to pay attention if they don't care. And make sure the log gets rolled, too.
|
|