On Fri, Apr 15, 2011 at 09:02:31AM -0400, Chris Lalancette wrote:
On 04/15/11 - 02:49:22AM, Francesco Vollero wrote:
On Thu, Apr 14, 2011 at 09:46:04AM -0400, Chris Lalancette wrote:
On 04/14/11 - 03:33:09PM, fvollero@redhat.com wrote:
From: Francesco Vollero fvollero@redhat.com
With this patch we get a more easy and "invisible" way to set the bool in selinux to activate httpd_can_network_connect just after the installation of the rpm, allowing aeolus-configure to have it just working.
[snip]
NACK. This lowers the security of the system by just installing a package.
I accept your NACK but the explanation is inconsistent. Since aeolus-configure is doing the same identical thing, and, after you install the package one of the first thing that he's doing is to run this command.
And, since aeolus-configure need httpd_mod_proxy to be on, while running, i think its more logical that can be done as post installation configuration and not from some puppet recipe. Btw if what you said Chris, about raising down the security of the system with a package, i can argue to give a look on selinux policies about it. Activating mod_proxy if you need it, does not mean you are lowering the security of the system and btw, this rule *just* work on deamons, that mean, that you really want to use it. Is like that you want httpd and you dont want to let him communicate on port 80, its just silly.
So, maybe you want to give a good and reasonable explanation and/or going more in detail. Btw i can give you a list of rpm that are doing the same identical thing that i do, one for all, jabberd from where i take the idea. And i do this patch with a bless of SELinux guy, and i think they know better than me, what mean security, since they are creating our policies for RHEL and Fedora.
(I just looked at the jabberd spec file, andd I do not see the place where it turns on an SELinux boolean. Can you point it out in more detail?)
Sorry i cited the wrong package, I was referring to spacewalk:
git clone git://git.fedorahosted.org/spacewalk.git/ grep -r setsebool ./spacewalk
While we can't work without it, this is a configuration-time decision, so belongs in aeolus-configure.
If was just "i need it just for aeolus-configure stuff and after i close it again" i would agree with you, but since Conductor need it ALWAYS, its the same thing.
But it is not the same thing. I have ~1700 packages installed on my laptop, and I am certainly not using all of them. I would be pretty upset if the mere fact of installing one of them caused my system to have less security. Once the user goes to the trouble of running aeolus-configure, then they have signalled a desire to use Conductor, and at that point it is appropriate to setup the boolean.
Ok. Obviously in this moment aeolus-configure is not acting in this way. What about disabling "by default" the enforcing mode?
Anyway, thanks for your feedback.