selinux rant, compressed version (Was Re: kernels won't boot)

[Andrew Farris]

Steve Grubb wrote:
> I wonder if a tool could be developed to do something like nmap and compare 
> current syscalls with an older version. It wouldn't be able to track resource 
> usage (files/sockets), which is another thing selinux regulates, but it could 
> tell you a little about if a new version is going to have problems. If we 
> could simply tell that a new package required policy changes, that would be 
> half the battle.

I don't know if that would be possible, but I think that would be beneficial and
expedite getting the correct policy changes in place for testing updates as well
as new packages.  One major issue with testing these packages with enforced
selinux is that you often cannot get the program to operate even enough to
'test' it, and it can take quite awhile to get the policy change so you can then
continue trying enforcing mode.  That tiring cycle is probably why so many
testers just toggle it off, and then it just takes longer to find all the
denials for test packages.

I suppose the maintainer just doing a cursory selinux test of their own before
getting package builds dropped into rawhide might help... I'm sure many do but
it would seem that some don't.  Just getting a BZ filed with the denials asap is
important.

-- 
Andrew Farris <lordmorgul at gmail.com> <ajfarris at gmail.com>
 gpg 0xC99B1DF3 fingerprint CDEC 6FAD BA27 40DF 707E A2E0 F0F6 E622 C99B 1DF3
No one now has, and no one will ever again get, the big picture. - Daniel Geer
----                                                                       ----