Developers of packages please pay attention to selinux labeling.
Adam Williamson
awilliam at redhat.com
Wed Jul 14 00:04:15 UTC 2010
On Tue, 2010-07-13 at 16:33 +0100, Pádraig Brady wrote:
> On 13/07/10 15:47, Tomasz Torcz wrote:
> > On Tue, Jul 13, 2010 at 03:11:44PM +0100, Christopher Brown wrote:
> >>>
> >>> As long as you give us a heads up we can prevent these types of blowups.
> >>> Since this policy is shared between yum, packagekit
> >>
> >> Whilst I appreciate your huge efforts to provide users with a more
> >> secure system, you need to realise that SELinux as it stands at the
> >> moment is utterly broken. As you clearly don't think this is the case,
> >> please spend some time in userland before beating on developers for
> >> not caring about this.
> >
> >
> > On the other hand, I cannot understand why packagers submit packages that
> > have no chance to work in default Fedora settings, with SELinux in Enforcing mode.
>
> Nobody I know enables SELinux.
> smolt says about half leave it enabled:
> http://smolts.org/static/stats/stats.html
> But I'm guessing a lot of experienced users/devs
> disable it given previous experiences...
> It's a bit of a catch 22 really.
>
> Personally I do momentarily enable to test but always disable
> because of _hundreds_ of errors in the applet thingy.
> Enabling in non enforcing mode causes a huge performance hit,
> causing for example the "do you want to kill" dialog to pop up
> when I try to quit firefox.
I have it enabled all the time on all my machines, and have never seen
either problem. I only get a small number of alerts, which I always
report to Bugzilla. I find Dan usually fixes them very quickly.
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net
More information about the devel
mailing list