Drawing lessons from fatal SELinux bug #1054350

Reindl Harald h.reindl at thelounge.net
Fri Jan 24 20:23:46 UTC 2014 


Am 24.01.2014 21:13, schrieb drago01:
> On Fri, Jan 24, 2014 at 7:35 PM, Reindl Harald <h.reindl at thelounge.net> wrote:
>> Am 24.01.2014 19:31, schrieb Reindl Harald:
>>>
>>> Am 24.01.2014 19:18, schrieb drago01:
>>>> On Fri, Jan 24, 2014 at 7:12 PM, Fabian Deutsch <fabian.deutsch at gmx.de> wrote:
>>>>> Am Freitag, den 24.01.2014, 00:55 +0100 schrieb Kevin Kofler:
>>>>>> it is time to analyze the fallout from the following catastrophic
>>>>>> Fedora 20
>>>>>> regression:
>>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1054350
>>>>>> "rpm scriptlets are exiting with status 127"
>>>>>
>>>>> Hey,
>>>>>
>>>>> can't we add a default boot entry which starts the system in permissive
>>>>> mode?
>>>>
>>>> How would that help? If a user knows enough about the issue to try it
>>>> he/she could just switch to permissive mode
>>>
>>> in *that* case
>>>
>>> in a case where a broken selinux update leads in not boot at all
>>> i can not imagine what i would to besides boot with a CD/DVD/USB
>>
>> to be clear - *i can* edit the boot-params and put selinux=0 there
>>
>> the average user can't but he may remember "uhm something with selinux
>> was one of the last updates"
> 
> You are assuming that the "averange user" even knows what selinux is
> or reviews the list of packages for every update.
> I doubt either of them is true.

as i said often:

linux systems tend also to get way too closed

many things are hidden in the assumption "the user do not want to be disturbed
with this and that information and install as well as boot needs to be pretty
and shiny"

* rhgb
* quiet
* hidden grub-menu

hence, while you install Fedora there should be a (default enabled) checkbox
asking if you want to enable SELinux with a short description what it is

>> and try the however named option, keep
>> in mind some people own only one machine and can't google for help
> 
> I doubt that. Most people do have multiple ways to access the internet
> (multiple computers, tablets, phones, game consoles ...) it is 2014
> not 1996

technically yes

practically how much fun does somebody have to google on a smart-phone
for a solution while he is frustrated and angry - and even if - do not
assume that all users are living in your social structure, that is not
really true

for me it is no problem, on the other hand there is a guy on the CentOS
list with the thread "died again" seeking for a hardware problem and
stating he has no money to chnage his 10 or so years old computer while
you and i would have thrown out that crap by the next window weeks ago

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20140124/1923b23a/attachment.sig>

More information about the devel mailing list