selinux rant, compressed version (Was Re: kernels won't boot)
Daniel J Walsh
dwalsh at redhat.com
Fri Jan 11 15:05:41 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
David Zeuthen wrote:
> On Thu, 2008-01-03 at 17:07 -0500, Daniel J Walsh wrote:
>> Well there are several problems with allowing the individual maintainers
>> manage their own policy.
>>
>> #1 they won't.
>> #2 when they do, they do a very bad job of it. Or basically just end up
>> with unconfined_t.
>> #3 The tools are too slow. Having 100 semodule -i will cause the
>> installation to take for ever.
>> #4 Interaction between confined domains does not work well when multiple
>> maintainers writing policy.
>> sendmail, procmail, spamassassin, clamav, postfix, qmail, mailserver,
>> pyzor ... All interact in very complex ways.
>> #5 conflicts on file_context directories/files
>
> See.. cause and effect.. #1 and #2 are the effects of #3 and the fact
> that the policy is way too big and the whole system is way too
> complicated.
>
> Besides.. I have asked probably more than ten times (both electronically
> and in person) about maintaining the selinux policy for hal in the
> _upstream_ tarball but I've always been told that it's not possible or
> I've been told to wait. In the meantime it's business as usual; things
> are broken and people turn off SELinux.
>
> Here's a challenge: Send me a patch against the hal git repo and the
> RPM spec with the SELinux bits... Then I'll be happy to maintain it;
> including spending time on learning SELinux well enough to do a good
> job. Is this even possible? Should it be possible?
>
>> David, You are writing an application that is trying to do things on
>> behalf of the user as root. These activities will cause conflicts and
>> need to be well controlled. So you are likely to run into problems with
>> SELinux.
>
> Sigh. Do you really honestly think this is a good answer for upstream
> maintainers that are _willing_ to help?
>
> David
>
>
I have build a spec file and included the current rawhide sources for
both policy kit and hal. As soon as you are ready to ship them I will
move them to update status in the selinux-policy package.
If you need help building the policy or writing policy, please you
know how to reach me. :^)
If other maintainers are interested in shipping their own policy, I will
make it available.
Dan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkeHhcQACgkQrlYvE4MpobNGwACgnBukrbuALtgu8/M3Uy1gB3Y4
SrkAn0kM5y0IeGosdRrs9JoTebino+Px
=H2NC
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hal-policy.tgz
Type: application/x-compressed-tar
Size: 5489 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20080111/c6a5e593/attachment-0002.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: hal-policy.tgz.sig
Type: application/octet-stream
Size: 72 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20080111/c6a5e593/attachment-0002.obj
More information about the devel
mailing list