It seems that the SELinux enablement stats are now online -- thanks!
I have a question about what the numbers mean. The current values are:
SELinux Enabled False 185085 53.3 % True 162262 46.7 % for 347347 registered hosts.
Now, the "OS" column include several distros and versions, including FC5, Centos5 through to current rawhide, with the same number of total hosts.
As the SELinux figures have only been collected since F8, does this mean that we should calculate "total SELinux enabled" only for:
OS Hosts F8 130282 F7.x (rawhide) 5517 F8.x (rawhide) 920 ---------------------------- 136719 (actually providing SELinux stats) ----------------------------
where the percentage enabled is actually thus at least 74% ?
- James
On Feb 18, 2008 11:25 PM, James Morris jmorris@namei.org wrote:
It seems that the SELinux enablement stats are now online -- thanks!
I have a question about what the numbers mean. The current values are:
SELinux Enabled False 185085 53.3 % True 162262 46.7 %
for 347347 registered hosts.
Now, the "OS" column include several distros and versions, including FC5, Centos5 through to current rawhide, with the same number of total hosts.
As the SELinux figures have only been collected since F8, does this mean that we should calculate "total SELinux enabled" only for:
OS Hosts F8 130282 F7.x (rawhide) 5517 F8.x (rawhide) 920
136719 (actually providing SELinux stats)
where the percentage enabled is actually thus at least 74% ?
We probably need more detailed reporting for this sort of thing. I'll put it on a TODO, for after FOSDEM. I wanted to get this draft out, so we can decide what reporting we need on a more evolutionary basis. (Or by intelligent design if you hold by that sort of thing.)
(Don't worry, I made myself promise myself that I wouldn't pick up new project ideas this time around. I'll hopefully be able to take care of this fairly quickly.)
-Yaakov
On Mon, 18 Feb 2008, Yaakov Nemoy wrote:
where the percentage enabled is actually thus at least 74% ?
We probably need more detailed reporting for this sort of thing. I'll put it on a TODO, for after FOSDEM. I wanted to get this draft out, so we can decide what reporting we need on a more evolutionary basis. (Or by intelligent design if you hold by that sort of thing.)
Ok, can we simply get an answer on how the numbers are arrived at for cases prior to when SELinux reporting started? i.e. if not reporting SELinux (F7 etc), is the default to present it on the site as "Disabled" ?
Knowing that, we can simply derive the correct value.
Also, could a note be added to that page so that people don't assume it is fully correct as stated ?
We've had enough problems historically with people adopting one benchmark result from a range of results as being the overall result, for example.
- James
On Mon, 18 Feb 2008, Yaakov Nemoy wrote:
On Feb 18, 2008 11:25 PM, James Morris jmorris@namei.org wrote:
It seems that the SELinux enablement stats are now online -- thanks!
We probably need more detailed reporting for this sort of thing. I'll put it on a TODO, for after FOSDEM. I wanted to get this draft out, so we can decide what reporting we need on a more evolutionary basis. (Or by intelligent design if you hold by that sort of thing.)
(Don't worry, I made myself promise myself that I wouldn't pick up new project ideas this time around. I'll hopefully be able to take care of this fairly quickly.)
We really need some ad-hoc reporting and filters. I wonder if our db would survive it :)
-Mike
On Feb 19, 2008 10:00 AM, Mike McGrath mmcgrath@redhat.com wrote:
On Mon, 18 Feb 2008, Yaakov Nemoy wrote:
On Feb 18, 2008 11:25 PM, James Morris jmorris@namei.org wrote:
It seems that the SELinux enablement stats are now online -- thanks!
We probably need more detailed reporting for this sort of thing. I'll put it on a TODO, for after FOSDEM. I wanted to get this draft out, so we can decide what reporting we need on a more evolutionary basis. (Or by intelligent design if you hold by that sort of thing.)
(Don't worry, I made myself promise myself that I wouldn't pick up new project ideas this time around. I'll hopefully be able to take care of this fairly quickly.)
We really need some ad-hoc reporting and filters. I wonder if our db would survive it :)
-Mike
Probably, as soon as i get off my but and figure out how.
On Mon, 2008-02-18 at 23:45 -0500, Yaakov Nemoy wrote:
On Feb 18, 2008 11:25 PM, James Morris jmorris@namei.org wrote:
It seems that the SELinux enablement stats are now online -- thanks!
I have a question about what the numbers mean. The current values are:
SELinux Enabled False 185085 53.3 % True 162262 46.7 %
for 347347 registered hosts.
Now, the "OS" column include several distros and versions, including FC5, Centos5 through to current rawhide, with the same number of total hosts.
As the SELinux figures have only been collected since F8, does this mean that we should calculate "total SELinux enabled" only for:
OS Hosts F8 130282 F7.x (rawhide) 5517 F8.x (rawhide) 920
136719 (actually providing SELinux stats)
where the percentage enabled is actually thus at least 74% ?
We probably need more detailed reporting for this sort of thing. I'll put it on a TODO, for after FOSDEM. I wanted to get this draft out, so we can decide what reporting we need on a more evolutionary basis. (Or by intelligent design if you hold by that sort of thing.)
(Don't worry, I made myself promise myself that I wouldn't pick up new project ideas this time around. I'll hopefully be able to take care of this fairly quickly.)
Hi,
Any progress on this? At the least, it would be nice if the smolt selinux stats page only reported enabled/disabled information for Fedora 8 and later where it was actually being collected correctly (I wouldn't use anything prior, since Fedora 8 test2 had a bug in its reporting and Fedora 7 and earlier had no reporting for it, IIUC). Otherwise, the selinux stats page is essentially useless in its current form.
Also, I don't understand the SELinux Enforce section of the page - there seems to be a mixture of policy type (e.g. targeted, seedit, strict) and enforcing status (enforcing, permissive) there, which then overlaps with the SELinux policy section. Possibly by omitting everything prior to Fedora 8 release would clear that up too since the precise information being reported changed.
On Fri, Mar 21, 2008 at 10:11 AM, Stephen Smalley sds@tycho.nsa.gov wrote:
On Mon, 2008-02-18 at 23:45 -0500, Yaakov Nemoy wrote:
On Feb 18, 2008 11:25 PM, James Morris jmorris@namei.org wrote:
It seems that the SELinux enablement stats are now online -- thanks!
I have a question about what the numbers mean. The current values are:
SELinux Enabled False 185085 53.3 % True 162262 46.7 %
for 347347 registered hosts.
Now, the "OS" column include several distros and versions, including FC5, Centos5 through to current rawhide, with the same number of total hosts.
As the SELinux figures have only been collected since F8, does this mean that we should calculate "total SELinux enabled" only for:
OS Hosts F8 130282 F7.x (rawhide) 5517 F8.x (rawhide) 920
136719 (actually providing SELinux stats)
where the percentage enabled is actually thus at least 74% ?
We probably need more detailed reporting for this sort of thing. I'll put it on a TODO, for after FOSDEM. I wanted to get this draft out, so we can decide what reporting we need on a more evolutionary basis. (Or by intelligent design if you hold by that sort of thing.)
(Don't worry, I made myself promise myself that I wouldn't pick up new project ideas this time around. I'll hopefully be able to take care of this fairly quickly.)
Hi,
Any progress on this? At the least, it would be nice if the smolt selinux stats page only reported enabled/disabled information for Fedora 8 and later where it was actually being collected correctly (I wouldn't use anything prior, since Fedora 8 test2 had a bug in its reporting and Fedora 7 and earlier had no reporting for it, IIUC). Otherwise, the selinux stats page is essentially useless in its current form.
Also, I don't understand the SELinux Enforce section of the page - there seems to be a mixture of policy type (e.g. targeted, seedit, strict) and enforcing status (enforcing, permissive) there, which then overlaps with the SELinux policy section. Possibly by omitting everything prior to Fedora 8 release would clear that up too since the precise information being reported changed.
We're making some progress within the time that I have in between school work. I have a working proof of concept in our git repository, which you can see evidence about here:
http://loupgaroublond.blogspot.com/2008/03/sign-of-things-to-come.html
Unfortunately, I think this is a feature that is going to be available sometime after Fedora 9 is release, as I won't have much time in the coming month to work on it.
You also mention some confusion in the database fields for Enforce. There might have been some confusion when we had to do a database migration. I will have to investigate this further, as that doesn't sound correct at all.
-Yaakov
James Morris wrote:
It seems that the SELinux enablement stats are now online -- thanks!
I have a question about what the numbers mean. The current values are:
SELinux Enabled False 185085 53.3 % True 162262 46.7 %
If this arguments are true for Fedora 8 than it looks like that more people dislike selinux than like it, right?
On Wed, 2008-02-20 at 11:45 +0100, Valent Turkovic wrote:
James Morris wrote:
It seems that the SELinux enablement stats are now online -- thanks!
I have a question about what the numbers mean. The current values are:
SELinux Enabled False 185085 53.3 % True 162262 46.7 %
If this arguments are true for Fedora 8 than it looks like that more people dislike selinux than like it, right?
Not necessarily. It's possible that SELinux is disabled for various app-related reasons, but the person in charge of the machine would rather have left it on.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Ignacio Vazquez-Abrams wrote:
On Wed, 2008-02-20 at 11:45 +0100, Valent Turkovic wrote:
James Morris wrote:
It seems that the SELinux enablement stats are now online -- thanks!
I have a question about what the numbers mean. The current values are:
SELinux Enabled False 185085 53.3 % True 162262 46.7 %
If this arguments are true for Fedora 8 than it looks like that more people dislike selinux than like it, right?
Not necessarily. It's possible that SELinux is disabled for various app-related reasons, but the person in charge of the machine would rather have left it on.
These stats are misleading. They include machines that the data was never collected for (pre fc8) as Disabled, So the default for smolt is if it does not know - disabled. The Smolt guys are working on getting a better break out.
On Wed, 20 Feb 2008, Valent Turkovic wrote:
James Morris wrote:
It seems that the SELinux enablement stats are now online -- thanks!
I have a question about what the numbers mean. The current values are:
SELinux Enabled False 185085 53.3 % True 162262 46.7 %
If this arguments are true for Fedora 8 than it looks like that more people dislike selinux than like it, right?
Why did you delete the rest of the email, which queried these numbers and suggested that the real figure for enablement was much higher?
btw, I asked off-list for a raw SQL query for just F8 systems (which have been reporting SELinux stats all along), and the "Enabled=True" value is currently 94%.
It's not clear to me what these numbers really mean, and I think it may be some time before we are able to really see what's happening (e.g. between smolt changes, initial reports, re-reporting, different distro versions with different levels of usability, permissive vs. enforcing etc.).
- James
James Morris wrote:
On Wed, 20 Feb 2008, Valent Turkovic wrote:
James Morris wrote:
It seems that the SELinux enablement stats are now online -- thanks!
I have a question about what the numbers mean. The current values are:
SELinux Enabled False 185085 53.3 % True 162262 46.7 %
If this arguments are true for Fedora 8 than it looks like that more people dislike selinux than like it, right?
Why did you delete the rest of the email ...
Because Valent has an anti SELinux agenda (refer to previous threads).
On Wed, Feb 20, 2008 at 3:29 PM, John Dennis jdennis@redhat.com wrote:
James Morris wrote:
On Wed, 20 Feb 2008, Valent Turkovic wrote:
James Morris wrote:
It seems that the SELinux enablement stats are now online -- thanks!
I have a question about what the numbers mean. The current values are:
SELinux Enabled False 185085 53.3 % True 162262 46.7 %
If this arguments are true for Fedora 8 than it looks like that more people dislike selinux than like it, right?
Why did you delete the rest of the email ...
Because Valent has an anti SELinux agenda (refer to previous threads).
You are afraid of selinux comments from me? LOL :)
I have actually said I really love selinux after the selinux thread I started. I only presented the cost vs. benefits of selinux for average desktop user and now everybody thinks I'm a selinux basher? Shame on you :)
I actually contribute a lot of bugs for selinux-policy in order to make selinux as better as possible (look at my bugzilla entries).
Please refrain from having premature judgments - instead ask me what I think and don't have prejudices.
Cheers, Valent.
James Morris jmorris@namei.org writes:
btw, I asked off-list for a raw SQL query for just F8 systems (which have been reporting SELinux stats all along), and the "Enabled=True" value is currently 94%.
Does Enabled=True imply enforcing?
/Benny
On Wed, 20 Feb 2008, Benny Amorsen wrote:
James Morris jmorris@namei.org writes:
btw, I asked off-list for a raw SQL query for just F8 systems (which have been reporting SELinux stats all along), and the "Enabled=True" value is currently 94%.
Does Enabled=True imply enforcing?
No. I think they are starting to collect that now.
What would also be useful would be to compare figures with other security features like iptables.
- James
On Feb 20, 2008 4:45 AM, Valent Turkovic valent.turkovic@gmail.com wrote:
James Morris wrote:
It seems that the SELinux enablement stats are now online -- thanks!
I have a question about what the numbers mean. The current values are:
SELinux Enabled False 185085 53.3 % True 162262 46.7 %
That's a huge assumption.
Arthur Pemberton wrote:
On Feb 20, 2008 4:45 AM, Valent Turkovic valent.turkovic@gmail.com wrote:
James Morris wrote:
It seems that the SELinux enablement stats are now online -- thanks!
I have a question about what the numbers mean. The current values are:
SELinux Enabled False 185085 53.3 % True 162262 46.7 %
That's a huge assumption.
Uh, maybe you deleted more than you meant? What's a huge assumption?
--CJD
On Wed, Feb 20, 2008 at 5:45 AM, Valent Turkovic valent.turkovic@gmail.com wrote:
James Morris wrote:
It seems that the SELinux enablement stats are now online -- thanks!
I have a question about what the numbers mean. The current values are:
SELinux Enabled False 185085 53.3 % True 162262 46.7 %
If this arguments are true for Fedora 8 than it looks like that more people dislike selinux than like it, right?
If we assume a standard deviation of 3%, since I have no basis for that number anyways, but it makes my math clear, we can assume 50% of all people have Selinux enabled. 50% is not a bad number. Smolt only sees a 10% usage of the Fedora world, and I am thoroughly jealous.
-Yaakov
On Wednesday 20 February 2008 05:45:47 Valent Turkovic wrote:
If this arguments are true for Fedora 8 than it looks like that more people dislike selinux than like it, right?
It is also possible that they had not enabled SELinux in the past, and never had time to enable it in more recent Fedora releases. Enabling SELinux for the first time requires the entire filesystem to be scanned, and for some people who have large disks and have been using their system for a while, that could be a hassle, so they may choose to not do it.
Also remember that these stats do not represent an unbiased sample, and should not be taken to be an indication of the broad Fedora user base.
-- Benjamin Kreuter
Benjamin Kreuter wrote:
On Wednesday 20 February 2008 05:45:47 Valent Turkovic wrote:
If this arguments are true for Fedora 8 than it looks like that more people dislike selinux than like it, right?
It is also possible that they had not enabled SELinux in the past, and never had time to enable it in more recent Fedora releases. Enabling SELinux for the first time requires the entire filesystem to be scanned, and for some people who have large disks and have been using their system for a while, that could be a hassle, so they may choose to not do it.
Also remember that these stats do not represent an unbiased sample, and should not be taken to be an indication of the broad Fedora user base.
-- Benjamin Kreuter
+1
I don't run SELinux on anything right now because I turned it off way back when and never bothered to turn it back on.
--CJD
Benjamin Kreuter wrote:
On Wednesday 20 February 2008 05:45:47 Valent Turkovic wrote:
If this arguments are true for Fedora 8 than it looks like that more people dislike selinux than like it, right?
Also remember that these stats do not represent an unbiased sample, and should not be taken to be an indication of the broad Fedora user base.
You can draw one conclusion: it's likely smolt is not adversely affected by selinux.
2008/2/20 Benjamin Kreuter ben.kreuter@gmail.com:
On Wednesday 20 February 2008 05:45:47 Valent Turkovic wrote:
If this arguments are true for Fedora 8 than it looks like that more people dislike selinux than like it, right?
It is also possible that they had not enabled SELinux in the past, and never had time to enable it in more recent Fedora releases. Enabling SELinux for the first time requires the entire filesystem to be scanned, and for some people who have large disks and have been using their system for a while, that could be a hassle, so they may choose to not do it.
Also remember that these stats do not represent an unbiased sample, and should not be taken to be an indication of the broad Fedora user base.
Are you telling this stats are useless? Or only that everybody can interpret them as they wish? (which is the same as being useless?)
I'm really confused...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Valent Turkovic wrote:
2008/2/20 Benjamin Kreuter ben.kreuter@gmail.com:
On Wednesday 20 February 2008 05:45:47 Valent Turkovic wrote:
If this arguments are true for Fedora 8 than it looks like that more people dislike selinux than like it, right?
It is also possible that they had not enabled SELinux in the past, and never had time to enable it in more recent Fedora releases. Enabling SELinux for the first time requires the entire filesystem to be scanned, and for some people who have large disks and have been using their system for a while, that could be a hassle, so they may choose to not do it.
Also remember that these stats do not represent an unbiased sample, and should not be taken to be an indication of the broad Fedora user base.
Are you telling this stats are useless? Or only that everybody can interpret them as they wish? (which is the same as being useless?)
I'm really confused...
I think the stats are developing. Currently we are not providing enough information to make a real good interpretation of the data. 50 % of all machines that smolt has ever collected data for report they have selinux _enabled. This does not mean the other 50% reported that they have it disabled, just that they have not reported that it is enabled. :^( I sound like a politician.
Lies, Damn Lies and Statistics.
And yes Valent has been working with us to repair problems in SELinux.
devel@lists.stg.fedoraproject.org