[Fedora-packaging] SELinux testing
Steven Pritchard
steve at silug.org
Sat Sep 9 16:15:06 UTC 2006
On Fri, Sep 08, 2006 at 04:50:44PM -0400, James Morris wrote:
> 7. If for some reason, #2 is not possible, and the release of the package
> is important enough to warrant disabling a core security feature of the
> OS:
>
> 7a. Make a note of the bugzilla # from (1) in the rpm info, cvs commit and
> release notes, with an explanation. Also include a standardized
> disclaimer in the rpm info which advises the user of the security risks
> arising from disabling SELinux. This should only happen in truly
> exceptional cases. I'm not sure how we can reliably notify users that
> SELinux can be re-enabled again, and whether they'll tolerate the entire
> fs being relabeled on reboot. Really, this just should not happen.
Can the policy for one application be turned off? (I honestly don't
know... I haven't been able to justify spending the time to really
wrap my brain around SELinux yet.)
If not, that seems like a major flaw. It seems to me that if a user
could just toggle off checks for a particular application (and reboot,
I would assume) and have everything work well enough, there would be
an incentive to fix the one application to work with SELinux instead
of just turning off SELinux entirely.
BTW, my limited experience with SELinux issues with one of my packages
is here:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=187305
The time it took to resolve that bug really should be a hint that
we're not ready to require SELinux compatibility in Extras yet.
Steve
--
Steven Pritchard - K&S Pritchard Enterprises, Inc.
Email: steve at kspei.com http://www.kspei.com/
Phone: (618)398-3000 Mobile: (618)567-7320
More information about the packaging
mailing list