[Fedora-packaging] SELinux testing
paul at city-fan.org
Sun Sep 10 08:36:53 UTC 2006
On Sat, 2006-09-09 at 11:15 -0500, Steven Pritchard wrote:
> On Fri, Sep 08, 2006 at 04:50:44PM -0400, James Morris wrote:
> > 7. If for some reason, #2 is not possible, and the release of the package
> > is important enough to warrant disabling a core security feature of the
> > OS:
> > 7a. Make a note of the bugzilla # from (1) in the rpm info, cvs commit and
> > release notes, with an explanation. Also include a standardized
> > disclaimer in the rpm info which advises the user of the security risks
> > arising from disabling SELinux. This should only happen in truly
> > exceptional cases. I'm not sure how we can reliably notify users that
> > SELinux can be re-enabled again, and whether they'll tolerate the entire
> > fs being relabeled on reboot. Really, this just should not happen.
> Can the policy for one application be turned off? (I honestly don't
> know... I haven't been able to justify spending the time to really
> wrap my brain around SELinux yet.)
This is usually possible, by setting the xxx_disable_trans SELinux
boolean, service xxx doesn't transition from the unconfined domain and
effectively runs with SELinux protection turned off.
> If not, that seems like a major flaw. It seems to me that if a user
> could just toggle off checks for a particular application (and reboot,
> I would assume) and have everything work well enough, there would be
> an incentive to fix the one application to work with SELinux instead
> of just turning off SELinux entirely.
Reboot isn't necessary; restarting the service should suffice.
More information about the packaging