-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Valent Turkovic wrote:
John Dennis wrote:
> Valent Turkovic wrote:
>> 2008/1/22 Jesse Keating <jkeating(a)redhat.com>:
>>> On Tue, 22 Jan 2008 13:29:03 +0100
>>> "Valent Turkovic" <valent.turkovic(a)gmail.com> wrote:
>>>
>>>> I tested revisor and wanted to make an up to date version of Fedora 8
>>>> Live CD - but selinux put a stop to that.
>>> Selinux is not going to work at all for things like revisor (and
>>> pungi/livecd-creator). Both make use of chroots to install packages
>>> into, and in certain cases you can wind up causing lots of harm to your
>>> host system (installing a new policy in the chroot will actually cause
>>> that policy to activate on the running kernel and then you have policy
>>> that doesn't match labels, watch the fun!).
>>>
>>> It is strongly recommended that you disable SELinux or at least put it
>>> in permissive if you're going to be doing composes.
>>
>> Is there a was to make selinux aware of that or atleast put a
>> notification window saying that you need to disable selinux in order
>> to use revisor?
>
> Revisor could be aware of SELinux and provide a warning, SELinux
> cannot do this.
>
>> One more issue for removing selinux as I said in an earlier thread :)
>> Selinux breaks features by desing and in a bad way, and I as a user
>> see more trouble from selinux than it is worth (just MHO).
>
> Your dissatisfaction with SELinux has been duly noted by the list, you
> are free to disable it. However, we would prefer contributions to make
> the distribution more robust and smooth out the bumps rather than
> disabling the technology. Your choice.
>
I started to like selinux because all of you great fedora devels said
nothing but praises for it, but still it seams that any "feature" I test
seams to break because of selinux.
But don't worry you all convinced me that selinux has a good reason to
stay.
Valent.
As Jesse stated earlier, using SELinux on a machine where you are going
to use a chroot and install packages without using a virtual machine
currently will not work. You are using the same kernel for both the
chroot and the host machine, so when a package loads new policy in the
chroot (selinux-policy-*rpm) the new policy will effect the host
machine. For example if you are building a Fedora 7 livecd on a Fedora
8 host machine, when the new selinux-policy package gets installed the
Fedora 7 policy will load and replace the Fedora 8 policy. This will
invalidate any contexts that existed in Fedora 8 and not in Fedora 7
causing them to become unlabeled_t. If this happens to a process, the
process usually goes wild. We (SELinux engineering) is working on some
solutions, but don't have a good one now.
Virtual machines? Getting the chroot to run with a different kernel.
Faking out /selinux in chroot to do nothing on policy load?
Trying to stop Transitions?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iEUEARECAAYFAkeYqd4ACgkQrlYvE4MpobPyMwCYwWwFtTnOQit/ENGWGGudTvGa
mgCgkUEgkCrRDo/EVbwQq9Ax6ZCWCug=
=Ol/k
-----END PGP SIGNATURE-----