Hi Fedora Kernel People,
The SELinux folks recently stumbled across some test failures due to a change in the Rawhide kernel config that happened this week while we are at -rc7 (see lore archive link below). Now, to be clear, I think the Kconfig change is good, TIOCSTI is generally pretty scary, but in my opinion changing the kernel config at the -rc7 stage is also a bit scary :) I don't know all the background on the Rawhide change, or if there is a policy for Rawhide Kconfig changes, but if it is possible I would suggest the in the future it might be advisable to restrict Kconfig changes past -rc5 (give or take) to only those which are critical changes.
Test/CI failures this late in the kernel -rc cycle are always a little worrisome and it would be nice to know that we're not intentionally making it worse ;)
https://lore.kernel.org/selinux/CAHC9VhRT0d-XWkw8uLGOmXsaQFpA4MMP6+sL5kfONbf...
On Fri, Feb 10, 2023 at 12:15 PM Paul Moore paul@paul-moore.com wrote:
Hi Fedora Kernel People,
The SELinux folks recently stumbled across some test failures due to a change in the Rawhide kernel config that happened this week while we are at -rc7 (see lore archive link below). Now, to be clear, I think the Kconfig change is good, TIOCSTI is generally pretty scary, but in my opinion changing the kernel config at the -rc7 stage is also a bit scary :) I don't know all the background on the Rawhide change, or if there is a policy for Rawhide Kconfig changes, but if it is possible I would suggest the in the future it might be advisable to restrict Kconfig changes past -rc5 (give or take) to only those which are critical changes.
Test/CI failures this late in the kernel -rc cycle are always a little worrisome and it would be nice to know that we're not intentionally making it worse ;)
https://lore.kernel.org/selinux/CAHC9VhRT0d-XWkw8uLGOmXsaQFpA4MMP6+sL5kfONbf...
... and of course as soon as I hit send on the previous email I see a new test/CI run has completed with CONFIG_LEGACY_TIOCSTI back to being set/y :) Regardless, I'd still like to encourage restraint on Kconfig changes late in the -rc cycle if possible.
On Fri, Feb 10, 2023 at 11:28 AM Paul Moore paul@paul-moore.com wrote:
On Fri, Feb 10, 2023 at 12:15 PM Paul Moore paul@paul-moore.com wrote:
Hi Fedora Kernel People,
The SELinux folks recently stumbled across some test failures due to a change in the Rawhide kernel config that happened this week while we are at -rc7 (see lore archive link below). Now, to be clear, I think the Kconfig change is good, TIOCSTI is generally pretty scary, but in my opinion changing the kernel config at the -rc7 stage is also a bit scary :) I don't know all the background on the Rawhide change, or if there is a policy for Rawhide Kconfig changes, but if it is possible I would suggest the in the future it might be advisable to restrict Kconfig changes past -rc5 (give or take) to only those which are critical changes.
Test/CI failures this late in the kernel -rc cycle are always a little worrisome and it would be nice to know that we're not intentionally making it worse ;)
https://lore.kernel.org/selinux/CAHC9VhRT0d-XWkw8uLGOmXsaQFpA4MMP6+sL5kfONbf...
... and of course as soon as I hit send on the previous email I see a new test/CI run has completed with CONFIG_LEGACY_TIOCSTI back to being set/y :) Regardless, I'd still like to encourage restraint on Kconfig changes late in the -rc cycle if possible.
Not sure why there would be another with it set to =y, it is set to =y for ELN/RHEL, but is turned off for Fedora. I do apologize for the late addition. I do try to set them earlier, but due to some existing MRs and other priorities I waited and did not set any of the 6.2 configs for Fedora until this week.
Justin
On Fri, Feb 10, 2023 at 9:10 PM Justin Forbes jmforbes@linuxtx.org wrote:
On Fri, Feb 10, 2023 at 11:28 AM Paul Moore paul@paul-moore.com wrote:
On Fri, Feb 10, 2023 at 12:15 PM Paul Moore paul@paul-moore.com wrote:
Hi Fedora Kernel People,
The SELinux folks recently stumbled across some test failures due to a change in the Rawhide kernel config that happened this week while we are at -rc7 (see lore archive link below). Now, to be clear, I think the Kconfig change is good, TIOCSTI is generally pretty scary, but in my opinion changing the kernel config at the -rc7 stage is also a bit scary :) I don't know all the background on the Rawhide change, or if there is a policy for Rawhide Kconfig changes, but if it is possible I would suggest the in the future it might be advisable to restrict Kconfig changes past -rc5 (give or take) to only those which are critical changes.
Test/CI failures this late in the kernel -rc cycle are always a little worrisome and it would be nice to know that we're not intentionally making it worse ;)
https://lore.kernel.org/selinux/CAHC9VhRT0d-XWkw8uLGOmXsaQFpA4MMP6+sL5kfONbf...
... and of course as soon as I hit send on the previous email I see a new test/CI run has completed with CONFIG_LEGACY_TIOCSTI back to being set/y :) Regardless, I'd still like to encourage restraint on Kconfig changes late in the -rc cycle if possible.
Not sure why there would be another with it set to =y, it is set to =y for ELN/RHEL, but is turned off for Fedora. I do apologize for the late addition. I do try to set them earlier, but due to some existing MRs and other priorities I waited and did not set any of the 6.2 configs for Fedora until this week.
There's something weird going on, because it has been flipped several times in dist-git (kernel-x86_64-fedora.config file): 4376058937ad4fea84039d3f771ff7353add9840: kernel-6.2.0-0.rc7.20230210git38c1e0c65865.54 changed y->n 64f643ed7fd2868bfaa8e230acfe3d547a58e626: kernel-6.2.0-0.rc7.20230210git38c1e0c65865.54 changed n->y 9c6fc5421516884b09e8f7ce36dffbf8c4ca66aa: kernel-6.2.0-0.rc7.20230209git0983f6bf2bfc.52 changed y->n 137e8e95cc84597967b6d994ea3d088d53f7ce6e: kernel-6.2.0-0.rc0.20221219gitf9ff5644bcc0.7 initially set to y
Some maintainer script gremlins acting up? :)
On Sat, Feb 11, 2023 at 1:37 AM Ondrej Mosnáček omosnacek@gmail.com wrote:
On Fri, Feb 10, 2023 at 9:10 PM Justin Forbes jmforbes@linuxtx.org wrote:
On Fri, Feb 10, 2023 at 11:28 AM Paul Moore paul@paul-moore.com wrote:
On Fri, Feb 10, 2023 at 12:15 PM Paul Moore paul@paul-moore.com wrote:
Hi Fedora Kernel People,
The SELinux folks recently stumbled across some test failures due to a change in the Rawhide kernel config that happened this week while we are at -rc7 (see lore archive link below). Now, to be clear, I think the Kconfig change is good, TIOCSTI is generally pretty scary, but in my opinion changing the kernel config at the -rc7 stage is also a bit scary :) I don't know all the background on the Rawhide change, or if there is a policy for Rawhide Kconfig changes, but if it is possible I would suggest the in the future it might be advisable to restrict Kconfig changes past -rc5 (give or take) to only those which are critical changes.
Test/CI failures this late in the kernel -rc cycle are always a little worrisome and it would be nice to know that we're not intentionally making it worse ;)
https://lore.kernel.org/selinux/CAHC9VhRT0d-XWkw8uLGOmXsaQFpA4MMP6+sL5kfONbf...
... and of course as soon as I hit send on the previous email I see a new test/CI run has completed with CONFIG_LEGACY_TIOCSTI back to being set/y :) Regardless, I'd still like to encourage restraint on Kconfig changes late in the -rc cycle if possible.
Not sure why there would be another with it set to =y, it is set to =y for ELN/RHEL, but is turned off for Fedora. I do apologize for the late addition. I do try to set them earlier, but due to some existing MRs and other priorities I waited and did not set any of the 6.2 configs for Fedora until this week.
There's something weird going on, because it has been flipped several times in dist-git (kernel-x86_64-fedora.config file): 4376058937ad4fea84039d3f771ff7353add9840: kernel-6.2.0-0.rc7.20230210git38c1e0c65865.54 changed y->n 64f643ed7fd2868bfaa8e230acfe3d547a58e626: kernel-6.2.0-0.rc7.20230210git38c1e0c65865.54 changed n->y 9c6fc5421516884b09e8f7ce36dffbf8c4ca66aa: kernel-6.2.0-0.rc7.20230209git0983f6bf2bfc.52 changed y->n 137e8e95cc84597967b6d994ea3d088d53f7ce6e: kernel-6.2.0-0.rc0.20221219gitf9ff5644bcc0.7 initially set to y
Some maintainer script gremlins acting up? :)
Sadly this wasn't automated, it was a forgotten git push one day, and a dist-git push before my coffee the next (it wasn't built before it was fixed).
Justin
kernel@lists.fedoraproject.org
-
Justin Forbes -
Ondrej Mosnáček -
Paul Moore