rawhide stability

[Daniel J Walsh]

Nicolas Mailhot wrote:
> Hans de Goede wrote:
>
>> It is really not that bad, as long as you learn:
>> -system does poof
>> -don't panic most likely selinux *
>> -reboot with selinux=disabled
>> -try again after a few days without selinux=disabled
>
> It's really that bad.
> If you're running half the time with selinux disabled, how are you 
> supposed to trace when/how individual selinux problems are 
> fixed/introduced ?
>
We are finished introducing new policy for additional targets at this 
point.  We should only be fixing existing policy problems.

There has been a major rewrite of policy in FC5.  This involved changed 
to all policy modules as we moved to modular policy.
MCS has also been introduced and major changes to allow MLS 
functionality.  Major changes are being introduced into the kernel all 
the time that effect SELinux.   The problem you are seeing was the 
addition of labeled networking via IPSEC.  I believe I have a new policy 
on ftp://people.redhat.com/dwalsh/SELinux 
(selinux-policy-targeted-2.1.12-1) which should fix your problem.  Will 
be in Rawhide tonight.  SELinux tends to be the fall guy for every other 
componant that changes on the system.  For example if the maintainer of 
hal decides it needs to access a new directory and the developer is not 
running selinux in enforcing mode, then the new version of hal gets 
introduced which is broken by SELinux in enforcing mode.  So it looks 
like SELinux is broken when in reality the problem was that the SELinux 
developers did not know about the change to hal.  Rawhide breaks and the 
SELinux policy developers fix it in the next days rawhide.  Not an 
excuse, but it is reality of the Rawhide environment.  Hopefully as we 
get closer to shipping, these problems will lesson.

audit2allow -M module will now allow you to build your own policy 
modules when something breaks.  This will allow you to work around 
problems in a sane manner.